IEC-CSO-EFRMUSTAll frameworksImplementation guide coming soonEvaluate FedRAMP Reportability
Incident Evaluation and Communication (IEC) · General Provider Responsibilities
Applies to: Providers
- Who this applies to
- Providers
- Service class
- All service classes
- Force
- MUST
- Timeframe
- No fixed timeframe
Reviewed implementation guidance for IEC-CSO-EFR is not published yet. The official source below remains complete and authoritative.
Expected evidence artifacts
- An incident log showing an example of one or more incidents being evaluated including the reason for the determination. The log can be from real incidents, simulated incidents, or a combination of sources.
Official FedRAMP source
Verbatim from FedRAMP/rules
Providers MUST promptly evaluate incidents to determine if they affect confidentiality or integrity of federal customer data or are likely to affect confidentiality or integrity of federal customer data; such incidents are FedRAMP Reportable Incidents and must be reported following the FedRAMP Incident Evaluation and Communication rules.
Defined terms in this requirement
Change history
2026-07-02Update terminology from "Response" to "Communication" in FedRAMP Incident Evaluation rules.2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.
Content provenance
Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.