FR
VERassurancestable

Vulnerability Evaluation and Reporting

The Vulnerability Evaluation and Reporting rules require cloud service providers to determine when vulnerabilities are likely to impact federal customers and report the status of such vulnerabilities to all necessary parties.

Effective dates

Obtain by
2026-12-07
Maintain by
2026-12-07
Optional adoption
2026-07-04
Grace period
2027-03-07
FedRAMP ResponsibilitiesAgency GuidanceEvaluationReportingTimeframes

FedRAMP ResponsibilitiesFRP

2 rules

These rules apply to FedRAMP when setting expectations for specific cloud service providers.

Types20xRev5
PathsProgramAgency
ClassesBCD
AffectsFedRAMP
VER-FRP-ADV

Sensitive Details

MAY

FedRAMP MAY require providers to share additional information or details about vulnerabilities, including sensitive information that would likely lead to exploitation, as part of review, response or investigation by necessary parties.

TermsLikelyProviderVulnerabilityVulnerability Response
VER-FRP-ARP

Additional Requirements

MAY

FedRAMP MAY require providers to share additional vulnerability information, alternative reports, or to report at an alternative frequency as a condition of a FedRAMP Corrective Action Plan or other agreements with federal agencies.

TermsAgencyProviderVulnerability

Agency GuidanceAGM

4 rules

These rules for agencies apply to all agencies using a FedRAMP Certification.

Types20xRev5
PathsProgramAgency
ClassesBCD
AffectsAgencies
VER-AGM-DRE

Do Not Request Extra Info

SHOULD NOT

Agencies SHOULD NOT request additional information from cloud service providers that is not required by the FedRAMP Vulnerability Detection and Response rules UNLESS the head of the agency or an authorized delegate makes a determination that there is a demonstrable need for such.

This is related to the Presumption of Adequacy directed by 44 USC § 3613 (e).

References

[For Agencies] Additional Information, Security Requirements, or Certification Change, or After Request Form
TermsAgencyFedRAMP CertifiedProviderVulnerabilityVulnerability DetectionVulnerability Response
VER-AGM-MAP

Maintain Agency Plans of Action and Milestones

SHOULD

Agencies SHOULD use vulnerability information reported by the Provider to maintain Plans of Action and Milestones for agency security programs when relevant according to agency security policies (such as if the agency takes action to mitigate the risk of exploitation or authorized the continued use of a cloud service with accepted vulnerabilities that put agency information systems at risk).

TermsAccepted VulnerabilityAgencyFedRAMP CertifiedProviderVulnerability
VER-AGM-NFR

Notify FedRAMP

MUST

Agencies MUST notify FedRAMP after requesting any additional vulnerability information or materials from a cloud service provider beyond those FedRAMP requires by sending a notification to [info@fedramp.gov](mailto:info@fedramp.gov).

This is an OMB policy; agencies are required to notify FedRAMP in OMB Memorandum M-24-15 section IV (a).

References

[For Agencies] Additional Information, Security Requirements, or Certification Change, or After Request Form
TermsAgencyProviderVulnerability
VER-AGM-RVR

Review Vulnerability Reports

SHOULD

Agencies SHOULD review the information provided in vulnerability reports at appropriate and reasonable intervals commensurate with the expectations and risk posture indicated by their Authorization to Operate, and SHOULD use automated processing and filtering of machine readable information from cloud service providers.

FedRAMP recommends that agencies only review overdue and accepted vulnerabilities Potential Agency Impact N-rating > 2 unless the cloud service provider recommends mitigations or the service is included in a higher risk federal information system. Furthermore, accepted vulnerabilities generally only need to be reviewed when they are added or during an updated risk assessment due to changes in the agency's use or authorization.
TermsAccepted VulnerabilityAgencyPotential Agency ImpactProviderVulnerability

EvaluationEVA

7 rules

These rules apply to the evaluation of vulnerabilities.

Types20xRev5
PathsProgramAgency
ClassesBCD
AffectsProviders
VER-EVA-AIA

Assume It's Automatable

MUST

Providers MUST assume the exploitation of vulnerabilities can be automated UNLESS they have evidence proving otherwise.

TermsProviderVulnerability
VER-EVA-EFA

Evaluation Factors

SHOULD

Providers SHOULD consider at least the following factors when considering the context of the cloud service offering to evaluate detected vulnerabilities:

  • Criticality: How important are the systems or information that might be impacted by the vulnerability?
  • Reachability: How might a threat actor reach the vulnerability and how likely is that?
  • Exploitability: How easy is it for a threat actor to exploit the vulnerability and how likely is that?
  • Detectability: How easy is it for a threat actor to become aware of the vulnerability and how likely is that?
  • Prevalence: How much of the cloud service offering is affected by the vulnerability?
  • Privilege: How much privileged authority or access is granted or can be gained from exploiting the vulnerability?
  • Proximate Vulnerabilities: How does this vulnerability interact with previously detected vulnerabilities, especially partially or fully mitigated vulnerabilities?
  • Known Threats: How might already known threats leverage the vulnerability and how likely is that?
TermsCloud Service OfferingFully Mitigated VulnerabilityLikelyProviderVulnerabilityVulnerability Detection
VER-EVA-EIR

Evaluate Internet-Reachability

MUST

Providers MUST evaluate detected vulnerabilities, considering the context of the cloud service offering, to determine if they are internet-reachable vulnerabilities.

  • FedRAMP focuses on internet-reachable (rather than internet-accessible) to ensure that any service that might receive a payload from the internet is prioritized if that service has a vulnerability that can be triggered by processing the data in the payload.
  • The simplest way to prevent exploitation of internet-reachable vulnerabilities is to intercept, inspect, filter, sanitize, reject, or otherwise deflect triggering payloads before they are processed by the vulnerable resource; once this prevention is in place the vulnerability should no longer be considered an internet-reachable vulnerability.
  • A classic example of an internet-reachable vulnerability on systems that are not typically internet-accessible is [SQL injection](https://en.wikipedia.org/wiki/SQL_injection), where an application stack behind a load balancer and firewall with no ability to route traffic to or from the internet can receive a payload indirectly from the internet that triggers the manipulation or compromise of data in a database that can only be accessed by an authorized connection from the application server on a private network.
  • Another simple example is the infamous Log4Shell (https://en.wikipedia.org/wiki/Log4Shell) vulnerability from 2021, where exploitation was possible via vulnerable internet-reachable resources deep in the application stack that were often not internet-accessible themselves.
TermsCloud Service OfferingFedRAMP CertifiedInternet-Reachable Vulnerability (IRV)ProviderVulnerabilityVulnerability Detection
VER-EVA-ELX

Evaluate Exploitability

MUST

Providers MUST evaluate detected vulnerabilities, considering the context of the cloud service offering, to determine if they are likely exploitable vulnerabilities.

  • The simple reality is that most traditional vulnerabilities discovered by scanners or during assessment are not likely to be exploitable; exploitation typically requires an unrealistic set of circumstances that will not occur during normal operation. The likelihood of exploitation will vary depending on so many factors that FedRAMP will not recommend a specific framework for approaching this beyond these rules.
  • The proof, ultimately, is in the pudding - providers who regularly evaluate vulnerabilities as not likely exploitable without careful consideration are more likely to suffer from an adverse impact where the root cause was an exploited vulnerability that was improperly evaluated. If done recklessly or deliberately, such actions will have a negative impact on a provider's FedRAMP Certification.
TermsCloud Service OfferingLikelyLikely Exploitable Vulnerability (LEV)ProviderRegularlyVulnerabilityVulnerability Detection
VER-EVA-EPA

Estimate Potential Agency Impact

MUST

Providers MUST evaluate detected vulnerabilities, considering the context of the cloud service offering, to estimate the potential agency impact of exploitation on government customers AND assign one of the following Potential Agency Impact N-ratings (PAIN):

  • N1: Exploitation could be expected to have minimal customer effects on one or more agencies that use the cloud service offering.
  • N2: Exploitation could be expected to have narrow customer effects on one or more agencies that use the cloud service offering.
  • N3: Exploitation could be expected to have a disruptive customer effect on one agency that uses the cloud service offering.
  • N4: Exploitation could be expected to have a debilitating customer effect on one agency that uses the cloud service offering OR a disruptive customer effect on more than one federal agency that uses the cloud service offering.
  • N5: Exploitation could be expected to have a debilitating customer effect on more than one agency that uses the cloud service offering.
TermsAgencyCloud Service OfferingDebilitating Customer EffectDisruptive Customer EffectMinimal Customer EffectNarrow Customer EffectPotential Agency ImpactProviderVulnerabilityVulnerability Detection
VER-EVA-GRV

Group Vulnerabilities

SHOULD

Providers SHOULD evaluate detected vulnerabilities, considering the context of the cloud service offering, to identify logical groupings of affected information resources that may improve the efficiency and effectiveness of vulnerability response by consolidating further activity; FedRAMP Vulnerability Detection and Response rules are then applied to these consolidated groupings of vulnerabilities instead of each individual detected instance.

TermsCloud Service OfferingInformation ResourceProviderVulnerabilityVulnerability DetectionVulnerability Response

ReportingRPT

6 rules

These rules apply to reporting related to vulnerability detection and response.

Types20xRev5
PathsProgramAgency
ClassesBCD
AffectsProviders
VER-RPT-AVI

Accepted Vulnerability Info

MUST

Providers MUST include the following information on accepted vulnerabilities when reporting on vulnerability detection and response activity:

  • Provider's internally assigned tracking identifier
  • Time and source of the detection
  • Time of completed evaluation
  • Is it an internet-reachable vulnerability or not?
  • Is it a likely exploitable vulnerability or not?
  • Currently estimated Potential Agency Impact N-rating
  • Explanation of why this is an accepted vulnerability
  • Any supplementary information the provider determines will responsibly help federal agencies assess or mitigate the risk to their federal customer data within the cloud service offering resulting from the accepted vulnerability

Required Artifacts

  • A recent vulnerability report or a sample vulnerability report

References

FedRAMP Accepted Vulnerability Info (VER-RPT-AVI)
TermsAccepted VulnerabilityAgencyCloud Service OfferingFederal Customer DataInternet-Reachable Vulnerability (IRV)LikelyLikely Exploitable Vulnerability (LEV)Potential Agency ImpactProviderResponsiblyVulnerabilityVulnerability DetectionVulnerability Response
VER-RPT-NID

Responsible Disclosure

MUST NOT

Providers MUST NOT irresponsibly disclose specific sensitive information about vulnerabilities that would likely lead to exploitation, but MUST disclose sufficient information for informed risk-based decision-making to all necessary parties.

This requirement will be superseded in the event of formal action related to an investigation or corrective action plan.
TermsAll Necessary PartiesLikelyProviderVulnerability
VER-RPT-PER

Persistent Reporting

MUST

Providers MUST report vulnerability detection and response activity (including persistent verification and validation) to all necessary parties persistently, summarizing ALL activity since the previous report; these reports are FedRAMP Certification Data and are subject to FedRAMP Certification Data Sharing rules.

References

FedRAMP Vulnerability Detail Report (VER-RPT-VDT)
TermsAll Necessary PartiesCertification DataPersistentlyProviderValidationVerificationVulnerabilityVulnerability DetectionVulnerability Response
VER-RPT-VDT

Vulnerability Details

MUST

Providers MUST include the following information (if applicable) on detected vulnerabilities when reporting on vulnerability detection and response activity, UNLESS it is an accepted vulnerability:

  • Provider's internally assigned tracking identifier
  • Time and source of the detection
  • Time of completed evaluation
  • Is it an internet-reachable vulnerability or not?
  • Is it a likely exploitable vulnerability or not?
  • Historically and currently estimated Potential Agency Impact N-rating of exploitation
  • Time and Potential Agency Impact N-rating of each completed and evaluated reduction in Potential Agency Impact N-rating
  • Estimated time and target Potential Agency Impact N-rating of next reduction in Potential Agency Impact N-rating
  • Is it currently or is it likely to become an overdue vulnerability or not? If so, explain.
  • Any supplementary information the provider responsibly determines will help federal agencies assess or mitigate the risk to their federal customer data within the cloud service offering resulting from the vulnerability
  • Final disposition of the vulnerability

Required Artifacts

  • A recent vulnerability report or a sample vulnerability report

References

FedRAMP Vulnerability Detail Report (VER-RPT-VDT)
TermsAccepted VulnerabilityAgencyCloud Service OfferingFederal Customer DataInternet-Reachable Vulnerability (IRV)LikelyLikely Exploitable Vulnerability (LEV)Overdue VulnerabilityPotential Agency ImpactProviderResponsiblyVulnerabilityVulnerability DetectionVulnerability Response

TimeframesTFR

6 rules

These rules apply to timeframes for vulnerability detection and response.

Types20xRev5
PathsProgramAgency
ClassesBCD
AffectsProviders
VER-TFR-EVU

Evaluate Vulnerabilities Quickly

ClassRequirement
A
SHOULDEvery 14 days

Providers with Class A Certifications SHOULD evaluate ALL vulnerabilities as required by VER-EVA (Evaluation) within 14 days of detection.

B
SHOULDEvery 7 days

Providers with Class B Certifications SHOULD evaluate ALL vulnerabilities as required by VER-EVA (Evaluation) within 7 days of detection.

C
SHOULDEvery 5 days

Providers with Class C Certifications SHOULD evaluate ALL vulnerabilities as required by VER-EVA (Evaluation) within 5 days of detection.

D
SHOULDEvery 2 days

Providers with Class D Certifications SHOULD evaluate ALL vulnerabilities as required by VER-EVA (Evaluation) within 2 days of detection.

TermsProviderVulnerabilityVulnerability Detection
VER-TFR-IRI

Internet-Reachable Incidents

ClassRequirement
A
MAY

Providers with Class A Certifications MAY treat internet-reachable likely exploitable vulnerabilities where Potential Agency Impact N-rating > 3 as a FedRAMP Reportable Incident until they are partially mitigated vulnerabilities at N3 or below.

B
MAY

Providers with Class B Certifications MAY treat internet-reachable likely exploitable vulnerabilities where Potential Agency Impact N-rating > 3 as a FedRAMP Reportable Incident until they are partially mitigated vulnerabilities at N3 or below.

C
SHOULD

Providers with Class C Certifications SHOULD treat internet-reachable likely exploitable vulnerabilities where Potential Agency Impact N-rating > 3 as a FedRAMP Reportable Incident until they are partially mitigated vulnerabilities at N3 or below.

D
SHOULD

Providers with Class D Certifications SHOULD treat internet-reachable likely exploitable vulnerabilities where Potential Agency Impact N-rating > 3 as a FedRAMP Reportable Incident until they are partially mitigated vulnerabilities at N3 or below.

TermsAgencyFedRAMP Reportable IncidentIncidentLikelyLikely Exploitable Vulnerability (LEV)Partially Mitigated VulnerabilityPotential Agency ImpactProviderVulnerability
VER-TFR-MRH

Historical Activity

ClassRequirement
A
MAYEvery 1 months

Providers with Class A Certifications MAY make all recent historical vulnerability detection and response activity available in JSON format for automated retrieval by all necessary parties (e.g. using an API service or similar); this information MAY be updated persistently, at least once every month.

B
SHOULDEvery 1 months

Providers with Class B Certifications SHOULD make all recent historical vulnerability detection and response activity available in JSON format for automated retrieval by all necessary parties (e.g. using an API service or similar); this information SHOULD be updated persistently, at least once every month.

C
SHOULDEvery 14 days

Providers with Class C Certifications SHOULD make all recent historical vulnerability detection and response activity available in JSON format for automated retrieval by all necessary parties (e.g. using an API service or similar); this information SHOULD be updated persistently, at least once every 14 days.

D
SHOULDEvery 7 days

Providers with Class D Certifications SHOULD make all recent historical vulnerability detection and response activity available in JSON format for automated retrieval by all necessary parties (e.g. using an API service or similar); this information SHOULD be updated persistently, at least once every 7 days.

References

FedRAMP Historical Vulnerability Evaluation and Reporting Activity (VER-TFR-MRH)
TermsAll Necessary PartiesPersistentlyProviderVulnerabilityVulnerability DetectionVulnerability Response
VER-TFR-NRI

Non-Internet-Reachable Incidents

ClassRequirement
A
MAY

Providers with Class A Certifications MAY treat likely exploitable vulnerabilities that are NOT internet-reachable where Potential Agency Impact N-rating = 5 as a FedRAMP Reportable Incident until they are partially mitigated vulnerabilities at N4 or below.

B
MAY

Providers with Class B Certifications MAY treat likely exploitable vulnerabilities that are NOT internet-reachable where Potential Agency Impact N-rating = 5 as a FedRAMP Reportable Incident until they are partially mitigated vulnerabilities at N4 or below.

C
MAY

Providers with Class C Certifications MAY treat likely exploitable vulnerabilities that are NOT internet-reachable where Potential Agency Impact N-rating = 5 as a FedRAMP Reportable Incident until they are partially mitigated vulnerabilities at N4 or below.

D
SHOULD

Providers with Class D Certifications SHOULD treat likely exploitable vulnerabilities that are NOT internet-reachable where Potential Agency Impact N-rating = 5 as a FedRAMP Reportable Incident until they are partially mitigated vulnerabilities at N4 or below.

TermsAgencyFedRAMP Reportable IncidentIncidentLikelyLikely Exploitable Vulnerability (LEV)Partially Mitigated VulnerabilityPotential Agency ImpactProviderVulnerability