Skip to main content
Pricing
Sign inRequest demo
AFC-CSO-TFGMUSTAll frameworksImplementation guide coming soon

Trust @fedramp.gov and @gsa.gov

Addressing FedRAMP Communication (AFC) · General Provider Responsibilities

Applies to: Providers
Who this applies to
Providers
Service class
All service classes
Force
MUST
Timeframe
No fixed timeframe

Reviewed implementation guidance for AFC-CSO-TFG is not published yet. The official source below remains complete and authoritative.

Expected evidence artifacts

  • Configuration settings for FSI mailbox
  • Automated validation to check FSI mailbox configuration

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers MUST treat any email originating from an @fedramp.gov or @gsa.gov email address as if it was sent from FedRAMP by default; if such a message is confirmed to originate from someone other than FedRAMP then the FedRAMP Security Inbox rules no longer apply.

Defined terms in this requirement

Operationalize this rule

Boundera turns FedRAMP 20x requirements like AFC-CSO-TFG into assigned evidence, remediation work, and validation workflows.

Request demo

Change history

  • 2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.