diff --git a/fedramp-consolidated-rules.json b/fedramp-consolidated-rules.json index 0f5134f..e828c0b 100644 --- a/fedramp-consolidated-rules.json +++ b/fedramp-consolidated-rules.json @@ -2,8 +2,8 @@ "info": { "title": "FedRAMP Consolidated Rules for 2026", "description": "This datafile contains the Consolidated Rules for FedRAMP in structured machine-readable text. It includes definitions, requirements, recommendations, and key security indicators.", - "version": "2026.07.01.01", - "last_updated": "2026-07-01", + "version": "2026.07.02.02", + "last_updated": "2026-07-02", "default_artifacts": { "FRR": [ "Explanation of how the rule is followed, or an explanation of the reason and resulting risk to customers for not following the rule.", @@ -444,7 +444,7 @@ }, "FRD-FIR": { "term": "Final Incident Report (FIR)", - "definition": "A final report after recovery from an incident that is supplied by FedRAMP Certified cloud service providers to FedRAMP and agency customers, following FedRAMP Incident Evaluation and Response rules.", + "definition": "A final report after recovery from an incident that is supplied by FedRAMP Certified cloud service providers to FedRAMP and agency customers, following FedRAMP Incident Evaluation and Communication rules.", "tag": "Incident", "alts": [ "final incident report", @@ -453,6 +453,10 @@ "FIRs" ], "updated": [ + { + "date": "2026-07-02", + "comment": "Update terminology from \"Response\" to \"Communication\" in FedRAMP Incident Evaluation rules." + }, { "date": "2026-06-24", "comment": "Official launch of the FedRAMP Consolidated Rules for 2026." @@ -541,7 +545,7 @@ }, "FRD-IIR": { "term": "Initial Incident Report (IIR)", - "definition": "An initial report about an incident that is supplied by FedRAMP Certified cloud service providers to FedRAMP and agency customers, following FedRAMP FedRAMP Incident Evaluation and Response rules.", + "definition": "An initial report about an incident that is supplied by FedRAMP Certified cloud service providers to FedRAMP and agency customers, following FedRAMP FedRAMP Incident Evaluation and Communication rules.", "tag": "Incident", "alts": [ "initial incident report", @@ -550,6 +554,10 @@ "IIRs" ], "updated": [ + { + "date": "2026-07-02", + "comment": "Update terminology from \"Response\" to \"Communication\" in FedRAMP Incident Evaluation rules." + }, { "date": "2026-06-24", "comment": "Official launch of the FedRAMP Consolidated Rules for 2026." @@ -719,7 +727,7 @@ }, "FRD-OIR": { "term": "Ongoing Incident Report (OIR)", - "definition": "A recurring report about an ongoing incident that is supplied by FedRAMP Certified cloud service providers to FedRAMP and agency customers, following the FedRAMP Incident Evaluation and Response rules.", + "definition": "A recurring report about an ongoing incident that is supplied by FedRAMP Certified cloud service providers to FedRAMP and agency customers, following the FedRAMP Incident Evaluation and Communication rules.", "tag": "Incident", "alts": [ "ongoing incident report", @@ -728,6 +736,10 @@ "OIRs" ], "updated": [ + { + "date": "2026-07-02", + "comment": "Update terminology from \"Response\" to \"Communication\" in FedRAMP Incident Evaluation rules." + }, { "date": "2026-06-24", "comment": "Official launch of the FedRAMP Consolidated Rules for 2026." @@ -5476,15 +5488,19 @@ "FRP": { "IEC-FRP-ORV": { "name": "Ongoing Review", - "statement": "FedRAMP MUST periodically review FedRAMP Incident Evaluation and Response implementation with providers based on lack of reporting or other information.", + "statement": "FedRAMP MUST periodically review FedRAMP Incident Evaluation and Communication implementation with providers based on lack of reporting or other information.", "corrective_actions": [ "FedRAMP will request a Corrective Action Plan when a provider is unaware of the rules or has failed to implement proper procedures.", "FedRAMP will grant a 3 month grace period to implement proper procedures pending remediation and possible revocation of FedRAMP Certification." ], "force": "MUST", "affects": ["FedRAMP"], - "terms": ["Incident", "Provider", "Vulnerability Response"], + "terms": ["Incident", "Provider"], "updated": [ + { + "date": "2026-07-02", + "comment": "Update terminology from \"Response\" to \"Communication\" in FedRAMP Incident Evaluation rules." + }, { "date": "2026-06-24", "comment": "Official launch of the FedRAMP Consolidated Rules for 2026." @@ -5495,7 +5511,7 @@ "CSO": { "IEC-CSO-EFR": { "name": "Evaluate FedRAMP Reportability", - "statement": "Providers MUST promptly evaluate incidents to determine if they affect confidentiality or integrity of federal customer data or are likely to affect confidentiality or integrity of federal customer data; such incidents are FedRAMP Reportable Incidents and must be reported following the FedRAMP Incident Evaluation and Response rules.", + "statement": "Providers MUST promptly evaluate incidents to determine if they affect confidentiality or integrity of federal customer data or are likely to affect confidentiality or integrity of federal customer data; such incidents are FedRAMP Reportable Incidents and must be reported following the FedRAMP Incident Evaluation and Communication rules.", "force": "MUST", "affects": ["Providers"], "artifacts": { @@ -5509,10 +5525,13 @@ "Incident", "Likely", "Promptly", - "Provider", - "Vulnerability Response" + "Provider" ], "updated": [ + { + "date": "2026-07-02", + "comment": "Update terminology from \"Response\" to \"Communication\" in FedRAMP Incident Evaluation rules." + }, { "date": "2026-06-24", "comment": "Official launch of the FedRAMP Consolidated Rules for 2026." @@ -8372,7 +8391,7 @@ "affects": ["Providers"], "artifacts": { "all": [ - "Evidence of signifincat change evaluation including a description fo the change, the determined type, and an explanation for the decision. At least one example must be provided for each type of change. Real examples are prefered but the provider may use fictitious examples as long as the example provides evidence of the decision making process." + "Evidence of significant change evaluation including a description fo the change, the determined type, and an explanation for the decision. At least one example must be provided for each type of change. Real examples are prefered but the provider may use fictitious examples as long as the example provides evidence of the decision making process." ] }, "schema": {