VDR-CSO-ADT
Automate Detection
SHOULD
Providers SHOULD use automated services to improve and streamline vulnerability detection and response.
VDRboundarystable
Vulnerability Detection and Response
The Vulnerability Detection and Response rules require providers to continuously identify, analyze, prioritize, mitigate, and remediate vulnerabilities and related exposures through automated systems. These rules give providers flexibility in implementation while ensuring agencies receive the information needed to support ongoing authorization decisions.
Effective dates
- Obtain by
- 2026-12-07
- Maintain by
- 2026-12-07
- Optional adoption
- 2026-07-04
- Grace period
- 2027-03-07
General Provider ResponsibilitiesCSO
9 rulesThese rules apply to all providers with FedRAMP Certifications of any type.
Types20xRev5
PathsProgramAgency
ClassesBCD
AffectsProviders
VDR-CSO-AKE
Avoid KEVs
SHOULD NOT
Providers SHOULD NOT deploy or otherwise activate new machine-based information resources with Known Exploited Vulnerabilities.
VDR-CSO-DAC
Detect After Changes
SHOULD
Providers SHOULD automatically perform vulnerability detection on representative samples of new or significantly changed information resources.
VDR-CSO-DET
Vulnerability Detection
MUST
Providers MUST systematically, persistently, and promptly discover and identify vulnerabilities within their cloud service offering using appropriate techniques such as assessment, scanning, threat intelligence, vulnerability disclosure mechanisms, bug bounties, penetration testing, incident response, automated control testing, supply chain monitoring, and other relevant capabilities; this process is called vulnerability detection. Vulnerability detection includes persistently verifying and validating that information resources and processes are operating as intended and documented for FedRAMP Practices.
Vulnerability Detection and Response includes all efforts to identify weaknesses in a system and is NOT limited to traditional vulnerability scanning or testing. An out-of-date control statement in the Security Decision Record is a vulnerability that must be detected and remediated just like any other vulnerability.
- FedRAMP's vulnerability detection (and response) rules are intended to set modern expectations for maintaining the security of a cloud service. Historical FedRAMP guidance on vulnerability scanning or continuous monitoring generally focused only on CVE-type vulnerabilities while leaving other types of vulnerabilities and exposures unaddressed.
- Providers are encouraged to leverage their existing holistic security review, architecture review, and similar processes to meet these requirements. FedRAMP strongly discourages providers from implementing separate vulnerability detection and response processes for FedRAMP reporting that are operated by independent compliance branches unless these processes are consuming data directly from the areas of the cloud service that actively maintain it.
VDR-CSO-DFR
Design For Resilience
SHOULD
Providers SHOULD make design and architecture decisions for their cloud service offering that mitigate the risk of vulnerabilities by default AND decrease the risk and complexity of vulnerability detection and response.
VDR-CSO-FAV
Failures Are Vulnerabilities
MUST
Providers MUST treat problems or failures with their vulnerability detection and response processes as vulnerabilities.
VDR-CSO-MSP
Maintain Security
SHOULD NOT
Providers SHOULD NOT weaken the security of information resources to facilitate vulnerability scanning, detection, or assessment activities.
VDR-CSO-RES
Vulnerability Response
MUST
Providers MUST systematically, persistently, and promptly track, evaluate, monitor, mitigate, remediate, assess exploitation of, report, and otherwise manage all detected vulnerabilities within their cloud service offering; this process is called vulnerability response.
- If it is not possible to fully mitigate vulnerabilities or remediate vulnerabilities, providers SHOULD instead partially mitigate vulnerabilities promptly, progressively, and persistently.
- FedRAMP does not use the terms "mitigation" and "remediation" interchangeably. Mitigation is the process of reducing the risk and impact of a vulnerability through partial mitigation and even full mitigation; remediation is the process of entirely eliminating the vulnerability. A fully mitigated vulnerability will still exist (with negligible risk) until it has been remediated. This separation is based on the plain language definitions of these words.
- Please refer to FedRAMP Definitions for strict interpretation in the FedRAMP context.
VDR-CSO-SIR
Sampling
MAY
Providers MAY sample effectively identical information resources, especially machine-based information resources, when performing vulnerability detection UNLESS doing so would decrease the efficiency or effectiveness of vulnerability detection.
TimeframesTFR
9 rulesThese rules apply to timeframes for vulnerability detection and response.
Types20xRev5
PathsProgramAgency
ClassesBCD
AffectsProviders
VDR-TFR-KEV
Remediate KEVs
SHOULD
Providers SHOULD remediate Known Exploited Vulnerabilities according to the due dates in the CISA Known Exploited Vulnerabilities Catalog (even if the vulnerability has been fully mitigated) as required by CISA Binding Operational Directive (BOD) 26-04 or any successor guidance from CISA.
References
VDR-TFR-NMV
Non-Machine Verification and Validation
MUST
Providers MUST verify and validate the status of non-machine-based information resources at least once every 3 months.
VDR-TFR-PCD
Persistently Complete Detection
| Class | Requirement |
|---|---|
| A | SHOULDEvery 6 months Providers with Class A Certifications SHOULD persistently perform vulnerability detection on all information resources that are NOT likely to drift, at least once every 6 months. |
| B | SHOULDEvery 6 months Providers with Class B Certifications SHOULD persistently perform vulnerability detection on all information resources that are NOT likely to drift, at least once every 6 months. |
| C | SHOULDEvery 1 months Providers with Class C Certifications SHOULD persistently perform vulnerability detection on all information resources that are NOT likely to drift, at least once every month. |
| D | SHOULDEvery 1 months Providers with Class D Certifications SHOULD persistently perform vulnerability detection on all information resources that are NOT likely to drift, at least once every month. |
VDR-TFR-PDD
Persistent Drift Detection
| Class | Requirement |
|---|---|
| A | SHOULDEvery 3 months Providers with Class A Certifications SHOULD persistently perform vulnerability detection on all information resources that are likely to drift, at least once every 3 months. |
| B | SHOULDEvery 1 months Providers with Class B Certifications SHOULD persistently perform vulnerability detection on all information resources that are likely to drift, at least once every month. |
| C | SHOULDEvery 14 days Providers with Class C Certifications SHOULD persistently perform vulnerability detection on all information resources that are likely to drift, at least once every 14 days. |
| D | SHOULDEvery 7 days Providers with Class D Certifications SHOULD persistently perform vulnerability detection on all information resources that are likely to drift, at least once every 7 days. |
VDR-TFR-PSD
Persistent Sample Detection
| Class | Requirement |
|---|---|
| A | SHOULDEvery 14 days Providers with Class A Certifications SHOULD persistently perform vulnerability detection on representative samples of similar machine-based information resources, at least once every 14 days. |
| B | SHOULDEvery 7 days Providers with Class B Certifications SHOULD persistently perform vulnerability detection on representative samples of similar machine-based information resources, at least once every 7 days. |
| C | SHOULDEvery 3 days Providers with Class C Certifications SHOULD persistently perform vulnerability detection on representative samples of similar machine-based information resources, at least once every 3 days. |
| D | SHOULDEvery 1 days Providers with Class D Certifications SHOULD persistently perform vulnerability detection on representative samples of similar machine-based information resources, at least once per day. |
VDR-TFR-PVR
Mitigation and Remediation Expectations
| Class | Requirement |
|---|---|
| A | SHOULD Providers with Class A Certifications SHOULD partially mitigate vulnerabilities, fully mitigate vulnerabilities, or remediate vulnerabilities to a lower potential agency impact within the timeframes from evaluation shown below, factoring for the current Potential Agency Impact N-rating, internet reachability, and likely exploitability. |
| B | SHOULD Providers with Class B Certifications SHOULD partially mitigate vulnerabilities, fully mitigate vulnerabilities, or remediate vulnerabilities to a lower potential agency impact within the timeframes from evaluation shown below, factoring for the current Potential Agency Impact N-rating, internet reachability, and likely exploitability: |
| C | SHOULD Providers with Class C Certifications SHOULD partially mitigate vulnerabilities, fully mitigate vulnerabilities, or remediate vulnerabilities to a lower Potential Agency Impact N-rating within the timeframes from evaluation shown below, factoring for the current Potential Agency Impact N-rating, internet reachability, and likely exploitability: |
| D | SHOULD Providers with Class D Certifications SHOULD partially mitigate vulnerabilities, fully mitigate vulnerabilities, or remediate vulnerabilities to a lower Potential Agency Impact N-rating within the maximum timeframes from evaluation shown below, factoring for the current Potential Agency Impact N-rating, internet reachability, and likely exploitability: |
VDR-TFR-RMN
Remaining Vulnerabilities
SHOULD
Providers SHOULD mitigate or remediate remaining vulnerabilities during routine operations as determined necessary by the provider.
VDR-TFR-MVX
Persistent Machine Verification and Validation for 20x
FedRAMP 20x
| Class | Requirement |
|---|---|
| A | SHOULDEvery 1 months Providers of FedRAMP 20x Class A offerings SHOULD verify and validate the status of machine-based information resources at least once every month. |
| B | MUSTEvery 7 days Providers of FedRAMP 20x Class B offerings MUST verify and validate the status of machine-based information resources at least once every 7 days. |
| C | MUSTEvery 3 days Providers of FedRAMP 20x Class C offerings MUST verify and validate the status of machine-based information resources at least once every 3 days. |
VDR-TFR-MVF
Persistent Machine Verification and Validation for Rev5
Rev 5
| Class | Requirement |
|---|---|
| B | SHOULDEvery 1 months Providers of FedRAMP Rev5 Class B offerings SHOULD verify and validate the status of machine-based information resources at least once every month. |
| C | MUSTEvery 1 months Providers of FedRAMP Rev5 Class C offerings MUST verify and validate the status of machine-based information resources at least once every month. |
| D | MUSTEvery 1 months Providers of FedRAMP Rev5 Class D offerings MUST verify and validate the status of machine-based information resources at least once every month. |