Skip to main content
Pricing
Sign inRequest demo
IEC-CSO-OIRAll frameworksImplementation guide coming soon

Ongoing Incident Reports

Incident Evaluation and Communication (IEC) · General Provider Responsibilities

Applies to: Providers
Who this applies to
Providers
Service class
Varies: A, B, C, D
Force
Varies by class
Timeframe
No fixed timeframe

Reviewed implementation guidance for IEC-CSO-OIR is not published yet. The official source below remains complete and authoritative.

Notification

  • Notify FedRAMP via email: fedramp_security@fedramp.gov
  • Notify Agency Customers via varies: varies by agency
  • Notify All Necessary Parties via update: trust center

Official FedRAMP source

Verbatim from FedRAMP/rules

This requirement varies by FedRAMP Certification class. Each class has its own statement:

Class A

SHOULD
Providers with Class A Certifications SHOULD responsibly notify all affected parties of ongoing activity as new information becomes available during incident response for FedRAMP Reportable Incidents, including updates (or lack of updates) to all previously reported information and as much of the the following additional information that is available and/or the current relevant status for each item:

Class B

MUST
Providers with Class B Certifications MUST responsibly notify all affected parties of ongoing activity as new information becomes available during incident response for FedRAMP Reportable Incidents, including updates (or lack of updates) to all previously reported information and as much of the the following additional information that is available and/or the current relevant status for each item:

Class C

MUST
Providers with Class C Certifications MUST responsibly notify all affected parties of ongoing activity as new information becomes available during incident response for FedRAMP Reportable Incidents, including updates (or lack of updates) to all previously reported information and as much of the the following additional information that is available and/or the current relevant status for each item:

Class D

MUST
Providers with Class D Certifications MUST responsibly notify all affected parties of ongoing activity as new information becomes available during incident response for FedRAMP Reportable Incidents, including updates (or lack of updates) to all previously reported information and as much of the the following additional information that is available and/or the current relevant status for each item:

Defined terms in this requirement

Operationalize this rule

Boundera turns FedRAMP 20x requirements like IEC-CSO-OIR into assigned evidence, remediation work, and validation workflows.

Request demo

Change history

  • 2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.