FedRAMP Security Inbox¶
The FedRAMP Security Inbox rules ensure FedRAMP can reliably contact the security and compliance staff responsible for every FedRAMP-authorized cloud service offering. These rules also set expectations for urgent communications, response time testing, and routing important messages separately from general support or customer service channels.
General Provider Responsibilities¶
These rules apply to providers with any type of FedRAMP Certification.
Maintain a FedRAMP Security Inbox¶
FSI-CSO-INB
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers MUST establish and maintain an email address to receive messages from FedRAMP; this inbox is a FedRAMP Security Inbox (FSI).
Be careful using a personal email tied to an individual for this inbox due to the significant risk to future communications after a change in personnel!
Notes:
- Unless otherwise notified, FedRAMP will use the listed Security Email on the Marketplace for these notifications.
- If a provider establishes a new inbox in reaction to this guidance that is different from the Security Email then they must follow the FSI-CSO-NOC rules to notify FedRAMP.
Terms: FedRAMP Security Inbox
Notification of Changes¶
FSI-CSO-NOC
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
This FRR includes a notification requirement!
- Notify FedRAMP by email using info@fedramp.gov.
Providers MUST immediately notify FedRAMP of any changes in addressing for their FedRAMP Security Inbox by emailing info@fedramp.gov with the name and FedRAMP ID of the cloud service offering and the updated email address.
Trust @fedramp.gov and @gsa.gov¶
FSI-CSO-TFG
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers MUST treat any email originating from an @fedramp.gov or @gsa.gov email address as if it was sent from FedRAMP by default; if such a message is confirmed to originate from someone other than FedRAMP then the FedRAMP Security Inbox rules no longer apply.
Terms: FedRAMP Security Inbox
Receive Email Without Disruption¶
FSI-CSO-RCV
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers MUST receive and react to email messages from FedRAMP without disruption and without requiring additional actions from FedRAMP.
Note: This requirement is intended to prevent cloud service providers from requiring FedRAMP to complete a CAPTCHA, log into a customer portal, or otherwise take service-specific actions that might prevent the security team from receiving the message.
Complete Required Actions¶
FSI-CSO-CRA
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers MUST complete the required actions in Emergency or Emergency Test designated messages sent by FedRAMP within the timeframe included in the message.
Note: Timeframes may vary by FedRAMP Certification class.
Emergency Message Routing¶
FSI-CSO-EMR
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers MUST route Emergency designated messages sent by FedRAMP to a senior security official for their awareness.
Note: Senior security officials are determined by the provider.
Important Message Actions¶
FSI-CSO-IMA
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers SHOULD complete the required actions in Important designated messages sent by FedRAMP within the timeframe specified in the message.
Note: Timeframes may vary by FedRAMP Certification class.
Acknowledge Receipt¶
FSI-CSO-ACK
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers SHOULD promptly and automatically acknowledge the receipt of messages received from FedRAMP in their FedRAMP Security Inbox.
Terms: FedRAMP Security Inbox, Promptly