Skip to content

Vulnerability Evaluation and Reporting

The Vulnerability Evaluation and Reporting rules require cloud service providers to determine when vulnerabilities are likely to impact federal customers and report the status of such vulnerabilities to all necessary parties.

Effective Date(s) & Overall Applicability for 20x and Rev5

  • Required (Mandated by CISA BOD 26-04)
  • Optional Adoption: 2026-07-04
  • Obtain: 2026-12-07
  • Maintain: 2026-12-07
  • Grace Ends: 2027-03-07

Agency Guidance

These rules for agencies apply to all agencies using a FedRAMP Certification.

Type: 20xRev5
Path: ProgramAgency
Class: Class BClass CClass D
Audience: Agencies

Review Vulnerability Reports

VER-AGM-RVR

Changelog:

  • 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.

Agencies SHOULD review the information provided in vulnerability reports at appropriate and reasonable intervals commensurate with the expectations and risk posture indicated by their Authorization to Operate, and SHOULD use automated processing and filtering of machine readable information from cloud service providers.


Note: FedRAMP recommends that agencies only review overdue and accepted vulnerabilities Potential Agency Impact N-rating > 2 unless the cloud service provider recommends mitigations or the service is included in a higher risk federal information system. Furthermore, accepted vulnerabilities generally only need to be reviewed when they are added or during an updated risk assessment due to changes in the agency's use or authorization.


Terms: Accepted Vulnerability, Potential Agency Impact, Vulnerability

Maintain Agency Plans of Action and Milestones

VER-AGM-MAP

Changelog:

  • 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.

Agencies SHOULD use vulnerability information reported by the Provider to maintain Plans of Action and Milestones for agency security programs when relevant according to agency security policies (such as if the agency takes action to mitigate the risk of exploitation or authorized the continued use of a cloud service with accepted vulnerabilities that put agency information systems at risk).


Terms: Accepted Vulnerability, FedRAMP Certified, Vulnerability

Comments