FedRAMP tightens incident reporting

FedRAMP is trying to fix a basic problem: cloud companies serving federal agencies have long been told to report “any incident,” but the rule was so broad that, by FedRAMP’s own account, many providers rarely notified the program at all. On April 8, 2026, FedRAMP opened public comment on a rewrite that is supposed to turn that vague standard into a rules-based system providers can actually follow. (fedramp.gov) FedRAMP is the Federal Risk and Authorization Management Program, the government-wide system agencies use to vet cloud services before putting federal data in them. FedRAMP says its marketplace currently lists 504 authorized services and 23 services on its newer “20x” track. (fedramp.gov, fedramp.gov) The rewrite shifts one big category out of the federal incident queue: outages and slowdowns that affect availability would go to public status pages or similar customer notices instead of triggering a separate federal-only report. FedRAMP says the reporting channel should focus on likely or confirmed incidents that threaten the confidentiality or integrity of federal customer data. (fedramp.gov) That is a meaningful change because availability is the “the site is down” problem, while confidentiality and integrity are the “someone saw data they should not” or “someone changed data they should not” problems. FedRAMP is drawing a sharper line so providers spend less time filing government paperwork about incidents agencies can already see on a status page. (fedramp.gov) FedRAMP also says the new timelines should scale with the risk to government systems instead of treating every provider the same. The draft says cloud services that commit to Class D, the high-impact tier in FedRAMP’s new certification structure, would face much stricter reporting requirements than lower-impact services. (fedramp.gov) This is part of a much larger rebuild that started after Congress put FedRAMP into law in December 2022 and after the Office of Management and Budget issued Memorandum M-24-15 on July 25, 2024 to modernize the program. FedRAMP said in January 2026 that this batch of requests for comment was meant to finish the major structural changes and move the program into implementation. (fedramp.gov, whitehouse.gov, fedramp.gov) The timing matters because FedRAMP has been removing older process bottlenecks elsewhere too. In February 2026, it said many providers would no longer need government permission every time they improved a service, replacing the old Significant Change Request process with an optional Significant Change Notification model. (fedramp.gov) Incident reporting is the flip side of that bargain. If FedRAMP is going to let providers ship changes faster, it needs cleaner rules for when those providers must raise a hand fast after something goes wrong. (fedramp.gov, fedramp.gov) FedRAMP is not starting from zero here. Its current 20x incident procedures already require providers to notify FedRAMP within 1 hour of identifying an incident, notify agency customers within 1 hour, notify the Cybersecurity and Infrastructure Security Agency within 1 hour for certain attack vectors, send updates at least once per calendar day, and publish a final report after recovery. (fedramp.gov) What is new in this request for comment is the attempt to define the reportable event more tightly and standardize the data that has to be included when a federal report is filed. FedRAMP says it also wants feedback on how to match these federal requirements to the incident records companies already create during ordinary commercial incident response. (fedramp.gov) The comment window runs from April 8, 2026 to May 12, 2026, and FedRAMP says the final version will be folded into its Consolidated Rules for 2026 by the end of June. Those rules are supposed to apply across both the older Revision 5 path and the newer 20x path, which means one incident-reporting playbook could soon cover almost every cloud provider trying to sell into the federal market. (fedramp.gov, fedramp.gov)