Vulnerability Evaluation and Reporting¶
The Vulnerability Evaluation and Reporting rules require cloud service providers to determine when vulnerabilities are likely to impact federal customers and report the status of such vulnerabilities to all necessary parties.
Effective Date(s) & Overall Applicability for 20x and Rev5
- Required (Mandated by CISA BOD 26-04)
- Optional Adoption: 2026-07-04
- Obtain: 2026-12-07
- Maintain: 2026-12-07
- Grace Ends: 2027-03-07
Agency Guidance¶
These rules for agencies apply to all agencies using a FedRAMP Certification.
Path: ProgramAgency
Class: Class BClass CClass D
Audience: Agencies
Notify FedRAMP¶
VER-AGM-NFR
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
This FRR includes a notification requirement!
Agencies MUST notify FedRAMP after requesting any additional vulnerability information or materials from a cloud service provider beyond those FedRAMP requires by sending a notification to info@fedramp.gov.
Note: This is an OMB policy; agencies are required to notify FedRAMP in OMB Memorandum M-24-15 section IV (a).
Terms: Vulnerability
Review Vulnerability Reports¶
VER-AGM-RVR
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Agencies SHOULD review the information provided in vulnerability reports at appropriate and reasonable intervals commensurate with the expectations and risk posture indicated by their Authorization to Operate, and SHOULD use automated processing and filtering of machine readable information from cloud service providers.
Note: FedRAMP recommends that agencies only review overdue and accepted vulnerabilities Potential Agency Impact N-rating > 2 unless the cloud service provider recommends mitigations or the service is included in a higher risk federal information system. Furthermore, accepted vulnerabilities generally only need to be reviewed when they are added or during an updated risk assessment due to changes in the agency's use or authorization.
Terms: Accepted Vulnerability, Potential Agency Impact, Vulnerability
Maintain Agency Plans of Action and Milestones¶
VER-AGM-MAP
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Agencies SHOULD use vulnerability information reported by the Provider to maintain Plans of Action and Milestones for agency security programs when relevant according to agency security policies (such as if the agency takes action to mitigate the risk of exploitation or authorized the continued use of a cloud service with accepted vulnerabilities that put agency information systems at risk).
Terms: Accepted Vulnerability, FedRAMP Certified, Vulnerability
Do Not Request Extra Info¶
VER-AGM-DRE
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
This FRR includes a notification requirement!
Agencies SHOULD NOT request additional information from cloud service providers that is not required by the FedRAMP Vulnerability Detection and Response rules UNLESS the head of the agency or an authorized delegate makes a determination that there is a demonstrable need for such.
Note: This is related to the Presumption of Adequacy directed by 44 USC § 3613 (e).
Terms: FedRAMP Certified, Vulnerability, Vulnerability Detection, Vulnerability Response