U.S. flag

An official website of the United States government

FedRAMP Response to CISA V1 ED 25-03

NTC-0010 published at Thu, 23 Apr 2026 18:00:00 GMT // Markdown Version

This is a real emergency and action is required in response to CISA V1: ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices. This is NOT a test.

FedRAMP has been tasked with ensuring all federal agencies have the information they need from cloud services to respond to this Emergency Directive. This will avoid massive duplicative work for agencies and all cloud services.

Providers MUST complete required actions and report status to FedRAMP (Step 8) by 5:00 PM ET April 29, 2026 regardless of impact level.

PLEASE URGENTLY TAKE THE FOLLOWING REQUIRED ACTIONS IN ORDER!

  1. Providers MUST review CISA V1: Emergency Directive 25-03 to understand affected systems.

  2. Providers MUST identify all public-facing Cisco Firepower 1000, 2100, 4100, 9300 series and Secure Firewall 200, 1200, 3100, 4200, and 6100 series devices within the FedRAMP boundary for their cloud service offering(s).

    If no in-scope systems are identified, skip to step 8. Steps 3-7 are not required if no in-scope systems are identified. If in-scope systems are identified, proceed to step 3.

  3. Providers SHOULD collect logs from affected systems as outlined in the Supplemental Direction ED 25-03: Core Dump and Hunt Instructions to assist with hunt activities.

  4. Providers MUST evaluate all identified devices for indicators of compromise. If any indication of compromise or anomalous behavior is found or there is any suspected impact to federal systems, providers MUST follow the FedRAMP Incident Communication Procedures, which includes reporting to CISA and agency customers.

    a. Providers SHOULD use CISA’s FIRESTARTER Backdoor Malware Analysis Report and/or other available threat intelligence reports to evaluate for indicators of compromise.

    b. Providers MAY submit core dumps of Cisco devices to CISA’s Malware Next Gen portal for evaluation.

  5. If no indicators of compromise are present, providers MUST apply Cisco-provided updates to all of the CVEs identified in the Emergency Directive by 11:59PM EST on April 24, 2026. This includes:

    a. The software updates to address CVE-2025-20333 and CVE-2025-20362, if not already patched; and,

    b. The recently released patch created for this specific persistence issue (links provided by device type in CISA’s step-by-step Core Dump and Hunt Instructions).

  6. Providers MUST perform a hard reset of the device(s) by physically unplugging the device’s power supply, as a reboot is not sufficient to expunge the malware, no later than April 29, 2026.

  7. Providers MUST upload supplemental information to the Incident Response folder in the FedRAMP repository and notify all agency customer Authorizing Official (or ISSO) POCs with notification of the completed action(s).

    • File Format: Files should be compatible with modern spreadsheet applications. Acceptable file formats are Comma Separated Values (csv) or Microsoft Excel (xlsx).

    • Filename: ED-25-03-V1-Response-[FRID]

    Note: Replace the [FRID] placeholder with your corresponding information.

    • Recommended content:

      • List of the type(s) of affected systems.

      • Summary of actions taken and results, including the collection of artifacts, patching, and hunting actions.

      • Additional information you wish to provide to customers

  8. Complete the FedRAMP V1: Emergency Directive 25-03 Response Form by 5:00 PM ET April 29, 2026.

    Please Note: Cloud service providers will have received an email in their FedRAMP Security Inbox with a link to the form. This Public Notice does not include the link!

Corrective Action

Corrective action will include public notification that the provider is not following FedRAMP Security Inbox rules.

Additional Background

If any indication of compromise or anomalous behavior is found or there is any suspected impact to federal systems, follow the FedRAMP Incident Communication Procedures, which includes reporting to CISA and agency customers.

This email has also been posted as a FedRAMP Notification here: fedramp.gov/notices/0010

If you have any questions, please reach out to info@fedramp.gov and CyberDirectives@cisa.dhs.gov