FedRAMP asks for incident‑reporting comments

A cloud company selling to the U.S. government can clear a long security review and still get into trouble over one basic question: when exactly do you tell the government that something went wrong. FedRAMP opened a public comment period on April 8, 2026, to rewrite that rulebook, with comments due by May 12, 2026. (fedramp.gov) FedRAMP is the Federal Risk and Authorization Management Program, the government-wide system for checking whether cloud products are safe enough for federal agencies to use. Congress put FedRAMP into law in the FedRAMP Authorization Act, and the Office of Management and Budget reset the program in July 2024 with Memorandum M-24-15. (fedramp.gov) (whitehouse.gov) The old incident rule was broad enough to sound simple and vague enough to cause fights. FedRAMP’s current Rev. 5 playbook tells providers to report any suspected or confirmed incident that causes actual or potential loss of confidentiality, integrity, or availability, and the new request says those words have not been followed or enforced consistently. (fedramp.gov 1) (fedramp.gov 2) The rewrite starts by narrowing what needs a federal incident report. FedRAMP says outages that only affect availability should move to public status pages or other customer notices, while federal reporting should focus on likely or confirmed incidents that threaten the confidentiality or integrity of federal data. (fedramp.gov) That is a big shift in practice because the current 20x pilot rules use a one-hour clock. Those rules say providers must notify FedRAMP within one hour of identifying an incident, notify agency customers within one hour, and notify the Cybersecurity and Infrastructure Security Agency within one hour when the incident is confirmed or suspected to involve a listed attack vector. (fedramp.gov) The new request does not just ask whether the clock should change. It says reporting timeframes should match the potential adverse impact to the government, and it calls for much stricter requirements for cloud services that seek Class D, the high-impact certification tier in FedRAMP’s new structure. (fedramp.gov) FedRAMP is also asking a practical question that compliance teams care about more than policy lawyers do. The request asks how federal reporting fields can line up with the incident records companies already create during normal commercial incident response, so vendors are not writing one report for customers and a second report for Washington. (fedramp.gov) The current program already expects a steady stream of updates after the first alert. The 20x documentation says providers must update FedRAMP, the Cybersecurity and Infrastructure Security Agency when applicable, and agency customers at least once per calendar day until recovery is complete, then file a final report covering what happened, the root cause, lessons learned, and needed changes. (fedramp.gov) FedRAMP is not presenting this as a side edit. In January 2026, the program said a batch of six requests for comment would complete its modernization under the FedRAMP Authorization Act and Office of Management and Budget Memorandum M-24-15, and the incident-reporting rewrite is one piece of that final cleanup. (fedramp.gov) The deadline matters because FedRAMP says the final rule will be folded into the 2026 consolidated rules by the end of June 2026. It will apply to both the older Rev. 5 path and the newer 20x path, which means one reporting standard could soon govern both the legacy process and the faster one FedRAMP is trying to build. (fedramp.gov) For cloud vendors, this is a comment period about definitions, clocks, and forms. For federal buyers, it is a test of whether the next version of FedRAMP can tell the difference between a service hiccup on a status page and a real breach touching government data, before the next incident forces that answer in public. (fedramp.gov)