Skip to main content
WhyHow It WorksFeaturesPricingBlog
Sign inRequest demo
ICP-CSO-FIRAll frameworksImplementation guide coming soon

Final Incident Report

Incident Communications Procedures (ICP) · General Provider Responsibilities

Applies to: Providers
Who this applies to
Providers
Service class
Varies: A, B, C, D
Force
Varies by class
Timeframe
No fixed timeframe

Reviewed implementation guidance for ICP-CSO-FIR is not published yet. The official source below remains complete and authoritative.

Notification

  • Notify FedRAMP via email: fedramp_security@fedramp.gov
  • Notify Agency Customers via update: incident contact procedures documented in contract agreement
  • Notify All Necessary Parties via update: trust center

Official FedRAMP source

Verbatim from FedRAMP/rules

This requirement varies by FedRAMP Certification class. Each class has its own statement:

Class A

MUST
Providers with Class A Certifications MUST responsibly notify all affected parties by providing a Final Incident Report once the incident has been resolved and recovery is complete, including final updates to all previously reported information.

Class B

MUST
Providers with Class B Certifications MUST responsibly notify all affected parties by providing a Final Incident Report once the incident has been resolved and recovery is complete, including final updates to all previously reported information.

Class C

MUST
Providers with Class C Certifications MUST responsibly notify all affected parties by providing a Final Incident Report once the incident has been resolved and recovery is complete, including final updates to all previously reported information.

Class D

MUST
Providers with Class D Certifications MUST responsibly notify all affected parties by providing a Final Incident Report once the incident has been resolved and recovery is complete, including final updates to all previously reported information.

Defined terms in this requirement

All Affected PartiesFinal Incident Report (FIR)IncidentProviderResponsibly

Change history

  • 2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.