Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 30 additions & 11 deletions fedramp-consolidated-rules.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
"info": {
"title": "FedRAMP Consolidated Rules for 2026",
"description": "This datafile contains the Consolidated Rules for FedRAMP in structured machine-readable text. It includes definitions, requirements, recommendations, and key security indicators.",
"version": "2026.07.01.01",
"last_updated": "2026-07-01",
"version": "2026.07.02.02",
"last_updated": "2026-07-02",
"default_artifacts": {
"FRR": [
"Explanation of how the rule is followed, or an explanation of the reason and resulting risk to customers for not following the rule.",
Expand Down Expand Up @@ -444,7 +444,7 @@
},
"FRD-FIR": {
"term": "Final Incident Report (FIR)",
"definition": "A final report after recovery from an incident that is supplied by FedRAMP Certified cloud service providers to FedRAMP and agency customers, following FedRAMP Incident Evaluation and Response rules.",
"definition": "A final report after recovery from an incident that is supplied by FedRAMP Certified cloud service providers to FedRAMP and agency customers, following FedRAMP Incident Evaluation and Communication rules.",
"tag": "Incident",
"alts": [
"final incident report",
Expand All @@ -453,6 +453,10 @@
"FIRs"
],
"updated": [
{
"date": "2026-07-02",
"comment": "Update terminology from \"Response\" to \"Communication\" in FedRAMP Incident Evaluation rules."
},
{
"date": "2026-06-24",
"comment": "Official launch of the FedRAMP Consolidated Rules for 2026."
Expand Down Expand Up @@ -541,7 +545,7 @@
},
"FRD-IIR": {
"term": "Initial Incident Report (IIR)",
"definition": "An initial report about an incident that is supplied by FedRAMP Certified cloud service providers to FedRAMP and agency customers, following FedRAMP FedRAMP Incident Evaluation and Response rules.",
"definition": "An initial report about an incident that is supplied by FedRAMP Certified cloud service providers to FedRAMP and agency customers, following FedRAMP FedRAMP Incident Evaluation and Communication rules.",
"tag": "Incident",
"alts": [
"initial incident report",
Expand All @@ -550,6 +554,10 @@
"IIRs"
],
"updated": [
{
"date": "2026-07-02",
"comment": "Update terminology from \"Response\" to \"Communication\" in FedRAMP Incident Evaluation rules."
},
{
"date": "2026-06-24",
"comment": "Official launch of the FedRAMP Consolidated Rules for 2026."
Expand Down Expand Up @@ -719,7 +727,7 @@
},
"FRD-OIR": {
"term": "Ongoing Incident Report (OIR)",
"definition": "A recurring report about an ongoing incident that is supplied by FedRAMP Certified cloud service providers to FedRAMP and agency customers, following the FedRAMP Incident Evaluation and Response rules.",
"definition": "A recurring report about an ongoing incident that is supplied by FedRAMP Certified cloud service providers to FedRAMP and agency customers, following the FedRAMP Incident Evaluation and Communication rules.",
"tag": "Incident",
"alts": [
"ongoing incident report",
Expand All @@ -728,6 +736,10 @@
"OIRs"
],
"updated": [
{
"date": "2026-07-02",
"comment": "Update terminology from \"Response\" to \"Communication\" in FedRAMP Incident Evaluation rules."
},
{
"date": "2026-06-24",
"comment": "Official launch of the FedRAMP Consolidated Rules for 2026."
Expand Down Expand Up @@ -5476,15 +5488,19 @@
"FRP": {
"IEC-FRP-ORV": {
"name": "Ongoing Review",
"statement": "FedRAMP MUST periodically review FedRAMP Incident Evaluation and Response implementation with providers based on lack of reporting or other information.",
"statement": "FedRAMP MUST periodically review FedRAMP Incident Evaluation and Communication implementation with providers based on lack of reporting or other information.",
"corrective_actions": [
"FedRAMP will request a Corrective Action Plan when a provider is unaware of the rules or has failed to implement proper procedures.",
"FedRAMP will grant a 3 month grace period to implement proper procedures pending remediation and possible revocation of FedRAMP Certification."
],
"force": "MUST",
"affects": ["FedRAMP"],
"terms": ["Incident", "Provider", "Vulnerability Response"],
"terms": ["Incident", "Provider"],
"updated": [
{
"date": "2026-07-02",
"comment": "Update terminology from \"Response\" to \"Communication\" in FedRAMP Incident Evaluation rules."
},
{
"date": "2026-06-24",
"comment": "Official launch of the FedRAMP Consolidated Rules for 2026."
Expand All @@ -5495,7 +5511,7 @@
"CSO": {
"IEC-CSO-EFR": {
"name": "Evaluate FedRAMP Reportability",
"statement": "Providers MUST promptly evaluate incidents to determine if they affect confidentiality or integrity of federal customer data or are likely to affect confidentiality or integrity of federal customer data; such incidents are FedRAMP Reportable Incidents and must be reported following the FedRAMP Incident Evaluation and Response rules.",
"statement": "Providers MUST promptly evaluate incidents to determine if they affect confidentiality or integrity of federal customer data or are likely to affect confidentiality or integrity of federal customer data; such incidents are FedRAMP Reportable Incidents and must be reported following the FedRAMP Incident Evaluation and Communication rules.",
"force": "MUST",
"affects": ["Providers"],
"artifacts": {
Expand All @@ -5509,10 +5525,13 @@
"Incident",
"Likely",
"Promptly",
"Provider",
"Vulnerability Response"
"Provider"
],
"updated": [
{
"date": "2026-07-02",
"comment": "Update terminology from \"Response\" to \"Communication\" in FedRAMP Incident Evaluation rules."
},
{
"date": "2026-06-24",
"comment": "Official launch of the FedRAMP Consolidated Rules for 2026."
Expand Down Expand Up @@ -8372,7 +8391,7 @@
"affects": ["Providers"],
"artifacts": {
"all": [
"Evidence of signifincat change evaluation including a description fo the change, the determined type, and an explanation for the decision. At least one example must be provided for each type of change. Real examples are prefered but the provider may use fictitious examples as long as the example provides evidence of the decision making process."
"Evidence of significant change evaluation including a description fo the change, the determined type, and an explanation for the decision. At least one example must be provided for each type of change. Real examples are prefered but the provider may use fictitious examples as long as the example provides evidence of the decision making process."
]
},
"schema": {
Expand Down
Loading