Page Info
Description: Explanation of the role FedRAMP plays in coordinating cloud service provider responses to CISA EDs and BODs on behalf of the federal government, and why agencies have to let us do it.
Purpose: CISA EDs and BODs will be able to link to this page and send it out to agencies during an event so they know exactly what to do instead of having constant wonky info sessions and stuff.
Responding to CISA Emergency and Binding Operational Directives¶
FedRAMP actively responds to CISA Binding Operational Directives (BODs) and Emergency Directives (EDs). In cases where a CISA BOD or ED applies to the cloud computing community, FedRAMP will place a reporting requirement on FedRAMP certified cloud service providers. FedRAMP uses the FedRAMP Security Inbox to communicate about urgent security matters.
FedRAMP collects responses to CISA BODs and EDs on behalf of the federal government and disseminates the responses to federal agencies. Agencies SHOULD NOT reach out individually to FedRAMP certified cloud providers as this causes a duplication of efforts and can slow response times. Federal agencies that use cloud services that are NOT FedRAMP certified are responsible to collect their own responses from non-FedRAMP-certified cloud providers. Agencies should determine whether they are using the FedRAMP certified version of a cloud service as many cloud providers have separate commercial and federal tenants.