Skip to main content
Pricing
Sign inRequest demo
IEC-CSO-EFRMUSTAll frameworksImplementation guide coming soon

Evaluate FedRAMP Reportability

Incident Evaluation and Communication (IEC) · General Provider Responsibilities

Applies to: Providers
Who this applies to
Providers
Service class
All service classes
Force
MUST
Timeframe
No fixed timeframe

Reviewed implementation guidance for IEC-CSO-EFR is not published yet. The official source below remains complete and authoritative.

Expected evidence artifacts

  • An incident log showing an example of one or more incidents being evaluated including the reason for the determination. The log can be from real incidents, simulated incidents, or a combination of sources.

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers MUST promptly evaluate incidents to determine if they affect confidentiality or integrity of federal customer data or are likely to affect confidentiality or integrity of federal customer data; such incidents are FedRAMP Reportable Incidents and must be reported following the FedRAMP Incident Evaluation and Communication rules.

Defined terms in this requirement

Operationalize this rule

Boundera turns FedRAMP 20x requirements like IEC-CSO-EFR into assigned evidence, remediation work, and validation workflows.

Request demo

Change history

  • 2026-07-02Update terminology from "Response" to "Communication" in FedRAMP Incident Evaluation rules.
  • 2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.