Incident Communications Procedures¶

Terms: Cloud Service Offering, Incident, Machine-Readable

Providers MUST promptly evaluate incidents to determine if they affect confidentiality or integrity of federal customer data or are likely to affect confidentiality or integrity of federal customer data.

Note: An incident that meets this test is a federal reportable incident.

Terms: Federal Customer Data, Federal Reportable Incident, Incident, Likely, Promptly

Providers MUST evaluate federal reportable incidents to estimate adverse impact on government customers and assign a Potential Adverse Impact N-rating.

1. N1 means negligible adverse effect on 1 or more agencies.
2. N2 means limited adverse effect on 1 or more agencies.
3. N3 means serious adverse effect on 1 agency.
4. N4 means catastrophic adverse effect on 1 agency or serious adverse effect on more than 1 agency.
5. N5 means catastrophic adverse effect on more than 1 agency.

Terms: Catastrophic Adverse Effect, Federal Reportable Incident, Incident, Limited Adverse Effect, Negligible Adverse Effect, Potential Adverse Impact, Serious Adverse Effect

Providers MUST responsibly notify all affected parties after identifying federal reportable incidents using email, push notification, form submission, secure portal upload, or another method specified by FedRAMP rules or written agency agreement.

1. Notify FedRAMP via fedramp_security@gsa.gov or fedramp_security@fedramp.gov.
2. Follow contact arrangements provided by each agency customer's security contact.
3. Upload notification information to the cloud service offering's secure portal or FedRAMP-compatible trust center.

Terms: All Affected Parties, Cloud Service Offering, Federal Reportable Incident, Incident, Responsibly, Trust Center

Providers MUST responsibly notify the Cybersecurity and Infrastructure Security Agency if an incident affects or is likely to affect the confidentiality or integrity of federal customer data, following the Cybersecurity and Infrastructure Security Agency Federal Incident Notification Guidelines.

Reference: Cybersecurity and Infrastructure Security Agency Federal Incident Notification Guidelines

Terms: Federal Customer Data, Incident, Likely, Responsibly

Providers MUST responsibly notify all affected parties after identifying federal reportable incidents by providing an Initial Incident Report with all available required information.

1. Contact information for the federal incident response coordinator.
2. Provider tracking identifier.
3. Description of the incident.
4. Incident timeline.
5. Historical and current Potential Adverse Impact estimates.
6. Functional impact to federal agency customers.
7. Estimated recovery plan, milestones, and timelines.

Terms: All Affected Parties, Federal Reportable Incident, Incident, Initial Incident Report (IIR), Potential Adverse Impact, Responsibly, Vulnerability Response

Providers MUST responsibly notify all affected parties of ongoing activity by providing Ongoing Incident Reports as new information becomes available during incident response for federal reportable incidents.

1. Updates or lack of updates to previously reported information.
2. Attack vector, if identified.
3. Observed incident activity.
4. Indicators of compromise.
5. Relevant Cybersecurity and Infrastructure Security Agency identifier, if available.
6. Related Common Vulnerabilities and Exposures identifier, if applicable.
7. Root cause.
8. Response and recovery activities.

Terms: All Affected Parties, Federal Reportable Incident, Incident, Ongoing Incident Report (OIR), Responsibly, Vulnerability, Vulnerability Response

Providers MUST responsibly notify all affected parties by providing a Final Incident Report once the incident has been resolved and recovery is complete, including final updates to all previously reported information.

Terms: All Affected Parties, Final Incident Report (FIR), Incident, Responsibly

Terms: All Affected Parties, Federal Reportable Incident, Incident, Potential Adverse Impact