Vulnerability Detection and Response¶
The Vulnerability Detection and Response rules require providers to continuously identify, analyze, prioritize, mitigate, and remediate vulnerabilities and related exposures through automated systems. These rules give providers flexibility in implementation while ensuring agencies receive the information needed to support ongoing authorization decisions.
Agency Guidance¶
These rules for agencies apply to all agencies using a FedRAMP Certification.
Review Vulnerability Reports¶
VDR-AGM-RVR
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Agencies SHOULD review the information provided in vulnerability reports at appropriate and reasonable intervals commensurate with the expectations and risk posture indicated by their Authorization to Operate, and SHOULD use automated processing and filtering of machine readable information from cloud service providers.
Note: FedRAMP recommends that agencies only review overdue and accepted vulnerabilities Potential Adverse Impact N-rating > 2 unless the cloud service provider recommends mitigations or the service is included in a higher risk federal information system. Furthermore, accepted vulnerabilities generally only need to be reviewed when they are added or during an updated risk assessment due to changes in the agency's use or authorization.
Terms: Accepted Vulnerability, Potential Adverse Impact, Vulnerability
Maintain Agency Plans of Action and Milestones¶
VDR-AGM-MAP
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Agencies SHOULD use vulnerability information reported by the Provider to maintain Plans of Action and Milestones for agency security programs when relevant according to agency security policies (such as if the agency takes action to mitigate the risk of exploitation or authorized the continued use of a cloud service with accepted vulnerabilities that put agency information systems at risk).
Terms: Accepted Vulnerability, FedRAMP Certified, Vulnerability
Do Not Request Extra Info¶
VDR-AGM-DRE
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Agencies SHOULD NOT request additional information from cloud service providers that is not required by the FedRAMP Vulnerability Detection and Response rules UNLESS the head of the agency or an authorized delegate makes a determination that there is a demonstrable need for such.
Note: This is related to the Presumption of Adequacy directed by 44 USC ยง 3613 (e).
Terms: FedRAMP Certified, Vulnerability, Vulnerability Detection, Vulnerability Response
Notify FedRAMP¶
VDR-AGM-NFR
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
This FRR includes a notification requirement!
- Notify FedRAMP by email using info@fedramp.gov.
Agencies MUST notify FedRAMP after requesting any additional vulnerability information or materials from a cloud service provider beyond those FedRAMP requires by sending a notification to info@fedramp.gov.
Note: This is an OMB policy; agencies are required to notify FedRAMP in OMB Memorandum M-24-15 section IV (a).
Terms: Vulnerability