Leveling Up: What To Know About The New FedRAMP Incident Response Procedures

On April 8, 2026, the Federal Risk and Authorization Management Program (“FedRAMP”) released Request for Comment (“RFC”) - 0031, Updated Incident Communications Procedures. The document aims to clarify and standardize incident reporting expectations to be more consistent and practical. Comments may be submitted through May 12, 2026. This RFC is part of FedRAMP’s broader modernization effort as it transitions to FedRAMP 20x, as discussed in our prior blog post.

New Definition for Incident & Estimated Impact Ratings

The new proposed incident response procedures focus incident reporting on ‘likely’ or ‘confirmed’ incidents that threaten the confidentiality or integrity of federal customer data. In new FedRAMP terms, an incident will be defined as “an occurrence that—(A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.” 44 U.S.C. § 3552(b)(2).

Cloud Service Providers (“CSPs”) will assign an estimated potential adverse impact rating to each incident, based on expected impact to government customers as follows:

• N1 - Negligible Adverse Effect: Incident is expected to have a small negative impact on one or more agency users of the cloud service offering.
• N2 - Limited Adverse Effect: Incident is expected to have a minor negative impact on one or more agency users of the cloud service offering.
• N3 - Serious Adverse Effect: Incident is expected to have a significant negative impact on one agency user of the cloud service offering.
• N4 - Catastrophic Adverse Effect or Serious Adverse Effect: Incident is expected to have either a severe negative impact on one agency user of the cloud service offering or a significant negative impact on multiple agency users of the cloud service offering.
• N5 - Catastrophic Adverse Effect: Incident is expected to have a severe negative impact on multiple agency users of the cloud service offering.

Initial Incident Notification

Once a federal reportable incident has been identified, FedRAMP proposes default notification requirements for all affected parties unless otherwise agreed to in writing:

• Notify FedRAMP at fedramp_security@gsa.gov or fedramp_security@fedramp.gov. 
• Follow each agency customer’s instructions and contact arrangements through the agency’s security point of contact.
• Upload notification information to the cloud service offering’s secure portal or FedRAMP-compatible Trust Center.

If an incident affects the confidentiality or integrity of federal customer data, RFC-0031 also states CSPs must follow the Cybersecurity and Infrastructure Security Agency’s (“CISA”) Incident Notification Instructions to provide notice to CISA.

Incident Reporting Timeframes

The RFC proposes updating incident reporting timeframes to align with the sensitivity of the cloud service offering.

Importantly, as part of the FedRAMP 20x initiative, FedRAMP updated its naming conventions as follows (FedRAMP Authorization labels also have transitioned from FedRAMP “Authorization” to FedRAMP “Certification.”):

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.