AFC-CSO-INBMUSTAll frameworksImplementation guide coming soonMaintain a FedRAMP Security Inbox
Addressing FedRAMP Communication (AFC) · General Provider Responsibilities
Applies to: Providers
- Who this applies to
- Providers
- Service class
- All service classes
- Force
- MUST
- Timeframe
- No fixed timeframe
Reviewed implementation guidance for AFC-CSO-INB is not published yet. The official source below remains complete and authoritative.
Expected evidence artifacts
- Email address to receive messages from FedRAMP
Official FedRAMP source
Verbatim from FedRAMP/rules
Providers MUST establish and maintain an email address to receive messages from FedRAMP; this inbox is a FedRAMP Security Inbox (FSI).
Be careful using a personal email tied to an individual for this inbox due to the significant risk to future communications after a change in personnel!
Defined terms in this requirement
Notes
- Unless otherwise notified, FedRAMP will use the listed Security Email on the Marketplace for these notifications.
- If a provider establishes a new inbox in reaction to this guidance that is different from the Security Email then they must follow the AFC-CSO-NOC (Notification of Changes) rules to notify FedRAMP.
Change history
2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.
Content provenance
Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.