AFC-CSO-TFGMUSTAll frameworksImplementation guide coming soonTrust @fedramp.gov and @gsa.gov
Addressing FedRAMP Communication (AFC) · General Provider Responsibilities
Applies to: Providers
- Who this applies to
- Providers
- Service class
- All service classes
- Force
- MUST
- Timeframe
- No fixed timeframe
Reviewed implementation guidance for AFC-CSO-TFG is not published yet. The official source below remains complete and authoritative.
Expected evidence artifacts
- Configuration settings for FSI mailbox
- Automated validation to check FSI mailbox configuration
Official FedRAMP source
Verbatim from FedRAMP/rules
Providers MUST treat any email originating from an @fedramp.gov or @gsa.gov email address as if it was sent from FedRAMP by default; if such a message is confirmed to originate from someone other than FedRAMP then the FedRAMP Security Inbox rules no longer apply.
Defined terms in this requirement
Change history
2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.
Content provenance
Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.