Skip to main content
Pricing
Sign inRequest demo
IEC-CSO-EFISHOULDAll frameworksImplementation guide coming soon

Estimate Federal Impact

Incident Evaluation and Communication (IEC) · General Provider Responsibilities

Applies to: Providers
Who this applies to
Providers
Service class
All service classes
Force
SHOULD
Timeframe
No fixed timeframe

Reviewed implementation guidance for IEC-CSO-EFI is not published yet. The official source below remains complete and authoritative.

Information required

  • N1 for a likely minimal customer effect on 1 or more agencies.
  • N2 for a likely narrow customer effect on 1 or more agencies.
  • N3 for a likely disruptive customer effect on 1 agency.
  • N4 for a likely debilitating customer effect on 1 agency or a likely disruptive customer effect on more than 1 agency.
  • N5 for a likely debilitating customer effect on more than 1 agency.

Expected evidence artifacts

  • An incident log showing an example of one or more incidents being evaluated including the reason for the determination. The log can be from real incidents, simulated incidents, or a combination of sources.

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers SHOULD promptly estimate the likely adverse impact of an incident on agency customers to assign a Potential Agency Impact N-rating; this step is called Incident Rating.

Defined terms in this requirement

Operationalize this rule

Boundera turns FedRAMP 20x requirements like IEC-CSO-EFI into assigned evidence, remediation work, and validation workflows.

Request demo

Notes

  • All incidents must be assigned a default PAIN-5 as required by IEC-CSO-DPR (Default PAIN Rating) if this step is not completed.

Change history

  • 2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.