Addressing FedRAMP Communication¶
The Addressing FedRAMP Communication rules (formerly FedRAMP Security Inbox) ensure FedRAMP can reliably contact the security and compliance staff responsible for every FedRAMP-authorized cloud service offering. These rules also set expectations for urgent communications, response time testing, and routing important messages separately from general support or customer service channels.
Effective Date(s) & Overall Applicability for Rev5
- Required (Consolidated Rules for 2026)
- Obtain: 2026-01-05
- Maintain: 2026-01-05
- Grace Ends: 2026-07-01
General Provider Responsibilities¶
These rules apply to providers with any type of FedRAMP Certification.
Path: ProgramAgency
Class: Class BClass CClass D
Audience: Providers
Maintain a FedRAMP Security Inbox¶
AFC-CSO-INB
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST establish and maintain an email address to receive messages from FedRAMP; this inbox is a FedRAMP Security Inbox (FSI).
Be careful using a personal email tied to an individual for this inbox due to the significant risk to future communications after a change in personnel!
Notes:
- Unless otherwise notified, FedRAMP will use the listed Security Email on the Marketplace for these notifications.
- If a provider establishes a new inbox in reaction to this guidance that is different from the Security Email then they must follow the AFC-CSO-NOC (Notification of Changes) rules to notify FedRAMP.
Terms: FedRAMP Security Inbox
Notification of Changes¶
AFC-CSO-NOC
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
This FRR includes a notification requirement!
- Notify FedRAMP via form: [CSP] Notification of Changes.
Providers MUST immediately notify FedRAMP of any changes to the email address for their FedRAMP Security Inbox.
Terms: FedRAMP Security Inbox
Trust @fedramp.gov and @gsa.gov¶
AFC-CSO-TFG
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST treat any email originating from an @fedramp.gov or @gsa.gov email address as if it was sent from FedRAMP by default; if such a message is confirmed to originate from someone other than FedRAMP then the FedRAMP Security Inbox rules no longer apply.
Terms: FedRAMP Security Inbox
Receive Email Without Disruption¶
AFC-CSO-RCV
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST receive and react to email messages from FedRAMP without disruption and without requiring additional actions from FedRAMP.
Note: This requirement is intended to prevent cloud service providers from requiring FedRAMP to complete a CAPTCHA, log into a customer portal, or otherwise take service-specific actions that might prevent the security team from receiving the message.
Complete Required Actions¶
AFC-CSO-CRA
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST complete the required actions in Emergency or Emergency Test designated messages sent by FedRAMP within the timeframe included in the message.
Note: Timeframes may vary by FedRAMP Certification class.
Terms: Certification Class
Emergency Message Routing¶
AFC-CSO-EMR
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST route Emergency designated messages sent by FedRAMP to a senior security official for their awareness.
Note: Senior security officials are determined by the provider.
Important Message Actions¶
AFC-CSO-IMA
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers SHOULD complete the required actions in Important designated messages sent by FedRAMP within the timeframe specified in the message.
Note: Timeframes may vary by FedRAMP Certification class.
Terms: Certification Class
Acknowledge Receipt¶
AFC-CSO-ACK
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers SHOULD promptly and automatically acknowledge the receipt of messages received from FedRAMP in their FedRAMP Security Inbox.
Terms: FedRAMP Security Inbox, Promptly