Providers MUST systematically, persistently, and promptly discover and identify vulnerabilities within their cloud service offering using appropriate techniques such as assessment, scanning, threat intelligence, vulnerability disclosure mechanisms, bug bounties, supply chain monitoring, and other relevant capabilities; this process is called vulnerability detection.

Applies to: Low, Moderate, High

Providers MUST systematically, persistently, and promptly track, evaluate, monitor, mitigate, remediate, assess exploitation of, report, and otherwise manage all detected vulnerabilities within their cloud service offering; this process is called vulnerability response.

Applies to: Low, Moderate, High

Providers MUST follow the requirements and recommendations outlined in FRR-VDR-TF regarding timeframes for vulnerability detection and response.

Note: Providers are strongly encouraged to build programs that consistently exceed these thresholds. Performance will be measured by FedRAMP for comparison between providers and scoring within the FedRAMP Marketplace.

Applies to: Low, Moderate, High

Providers MAY sample effectively identical information resources, especially machine-based information resources, when performing vulnerability detection UNLESS doing so would decrease the efficiency or effectiveness of vulnerability detection.

Applies to: Low, Moderate, High

Providers SHOULD evaluate detected vulnerabilities, considering the context of the cloud service offering, to identify logical groupings of affected information resources that may improve the efficiency and effectiveness of vulnerability response by consolidating further activity; requirements and recommendations in this standard are then applied to these consolidated groupings of vulnerabilities instead of each individual detected instance.

Applies to: Low, Moderate, High

Providers SHOULD evaluate detected vulnerabilities, considering the context of the cloud service offering, to determine if they are false positive vulnerabilities.

Applies to: Low, Moderate, High

Providers MUST evaluate detected vulnerabilities, considering the context of the cloud service offering, to determine if they are likely exploitable vulnerabilities.

Applies to: Low, Moderate, High

Providers MUST evaluate detected vulnerabilities, considering the context of the cloud service offering, to determine if they are internet-reachable vulnerabilities.

Applies to: Low, Moderate, High

Providers MUST evaluate detected vulnerabilities, considering the context of the cloud service offering, to estimate the potential adverse impact of exploitation on government customers AND assign one of the following potential adverse impact ratings:

• N1: Exploitation could be expected to have negligible adverse effects on one or more agencies that use the cloud service offering.

• N2: Exploitation could be expected to have limited adverse effects on one or more agencies that use the cloud service offering.

• N3: Exploitation could be expected to have a serious adverse effect on one agency that uses the cloud service offering.

• N4: Exploitation could be expected to have a catastrophic adverse effect on one agency that uses the cloud service offering OR a serious adverse effect on more than one federal agency that uses the cloud service offering.

• N5: Exploitation could be expected to have a catastrophic adverse effect on more than one agency that uses the cloud service offering.

Applies to: Low, Moderate, High

Providers SHOULD consider at least the following factors when considering the context of the cloud service offering to evaluate detected vulnerabilities:

1. Criticality: How important are the systems or information that might be impacted by the vulnerability?

2. Reachability: How might a threat actor reach the vulnerability and how likely is that?

3. Exploitability: How easy is it for a threat actor to exploit the vulnerability and how likely is that?

4. Detectability: How easy is it for a threat actor to become aware of the vulnerability and how likely is that?

5. Prevalence: How much of the cloud service offering is affected by the vulnerability?

6. Privilege: How much privileged authority or access is granted or can be gained from exploiting the vulnerability?

7. Proximate Vulnerabilities: How does this vulnerability interact with previously detected vulnerabilities, especially partially or fully mitigated vulnerabilities?

8. Known Threats: How might already known threats leverage the vulnerability and how likely is that?

Applies to: Low, Moderate, High

Providers MUST document the reason and resulting implications for their customers when choosing not to meet FedRAMP recommendations in this standard; this documentation MUST be included in the authorization data for the cloud service offering.

Applies to: Low, Moderate, High

If it is not possible to fully mitigate or remediate detected vulnerabilities, providers SHOULD instead partially mitigate vulnerabilities promptly, progressively, and persistently.

Applies to: Low, Moderate, High

Providers SHOULD make design and architecture decisions for their cloud service offering that mitigate the risk of vulnerabilities by default AND decrease the risk and complexity of vulnerability detection and response.

Applies to: Low, Moderate, High

Providers SHOULD use automated services to improve and streamline vulnerability detection and response.

Applies to: Low, Moderate, High

Providers SHOULD automatically perform vulnerability detection on representative samples of new or significantly changed information resources.

Applies to: Low, Moderate, High

Providers SHOULD NOT weaken the security of information resources to facilitate vulnerability scanning or assessment activities.

Applies to: Low, Moderate, High

Providers SHOULD NOT deploy or otherwise activate new machine-based information resources with Known Exploited Vulnerabilities.

Applies to: Low, Moderate, High

Providers MUST report vulnerability detection and response activity to all necessary parties persistently, summarizing ALL activity since the previous report; these reports are authorization data and are subject to the FedRAMP Authorization Data Sharing (ADS) standard.

Applies to: Low, Moderate, High

Providers SHOULD include high-level overviews of ALL vulnerability detection and response activities conducted during this period for the cloud service offering; this includes vulnerability disclosure programs, bug bounty programs, penetration testing, assessments, etc.

Applies to: Low, Moderate, High

Providers MUST NOT irresponsibly disclose specific sensitive information about vulnerabilities that would likely lead to exploitation, but MUST disclose sufficient information for informed risk-based decision-making to all necessary parties.

Note: See FRR-VDR-EX for exceptions to this requirement.

Applies to: Low, Moderate, High

Providers MAY responsibly disclose vulnerabilities publicly or with other parties if the provider determines doing so will NOT likely lead to exploitation.

Applies to: Low, Moderate, High

Providers MUST include the following information (if applicable) on detected vulnerabilities when reporting on vulnerability detection and response activity, UNLESS it is an accepted vulnerability:

1. Provider's internally assigned tracking identifier

2. Time and source of the detection

3. Time of completed evaluation

4. Is it an internet-reachable vulnerability or not?

5. Is it a likely exploitable vulnerability or not?

6. Historically and currently estimated potential adverse impact of exploitation

7. Time and level of each completed and evaluated reduction in potential adverse impact

8. Estimated time and target level of next reduction in potential adverse impact

9. Is it currently or is it likely to become an overdue vulnerability or not? If so, explain.

10. Any supplementary information the provider responsibly determines will help federal agencies assess or mitigate the risk to their federal customer data within the cloud service offering resulting from the vulnerability

11. Final disposition of the vulnerability

Applies to: Low, Moderate, High

Providers MUST include the following information on accepted vulnerabilities when reporting on vulnerability detection and response activity:

1. Provider's internally assigned tracking identifier

2. Time and source of the detection

3. Time of completed evaluation

4. Is it an internet-reachable vulnerability or not?

5. Is it a likely exploitable vulnerability or not?

6. Currently estimated potential adverse impact of exploitation

7. Explanation of why this is an accepted vulnerability

8. Any supplementary information the provider determines will responsibly help federal agencies assess or mitigate the risk to their federal customer data within the cloud service offering resulting from the accepted vulnerability

Applies to: Low, Moderate, High

Providers MAY be required to share additional vulnerability information, alternative reports, or to report at an alternative frequency as a condition of a FedRAMP Corrective Action Plan or other agreements with federal agencies.

Applies to: Low, Moderate, High

Providers MAY be required to provide additional information or details about vulnerabilities, including sensitive information that would likely lead to exploitation, as part of review, response or investigation by necessary parties.

Applies to: Low, Moderate, High

Providers MUST NOT use this standard to reject requests for additional information from necessary parties which also include law enforcement, Congress, and Inspectors General.

Applies to: Low, Moderate, High

Providers MUST report vulnerability detection and response activity to all necessary parties in a consistent format that is human readable at least monthly.

Applies to: Low, Moderate, High

Providers SHOULD remediate Known Exploited Vulnerabilities according to the due dates in the CISA Known Exploited Vulnerabilities Catalog (even if the vulnerability has been fully mitigated) as required by CISA Binding Operational Directive (BOD) 22-01 or any successor guidance from CISA.

Applies to: Low, Moderate, High

Providers MUST categorize any vulnerability that is not or will not be fully mitigated or remediated within 192 days of evaluation as an accepted vulnerability.

Applies to: Low, Moderate, High

Providers SHOULD make all recent historical vulnerability detection and response activity available in a machine-readable format for automated retrieval by all necessary parties (e.g. using an API service or similar); this information SHOULD be updated persistently, at least once every month.

Applies to: Low

Providers SHOULD persistently perform vulnerability detection on representative samples of similar machine-based information resources, at least once every week.

Applies to: Low

Providers SHOULD persistently perform vulnerability detection on all information resources that are likely to drift, at least once every month.

Applies to: Low

Providers SHOULD persistently perform vulnerability detection on all information resources that are NOT likely to drift, at least once every six months.

Applies to: Low

Providers SHOULD evaluate ALL vulnerabilities as required by FRR-VDR-07, FRR-VDR-08, and FRR-VDR-09 within 7 days of detection.

Applies to: Low

Providers SHOULD partially mitigate, fully mitigate, or remediate vulnerabilities to a lower potential adverse impact within the timeframes from evaluation shown below (in days), factoring for the current potential adverse impact, internet reachability, and likely exploitability:

Applies to: Low

Providers SHOULD mitigate or remediate remaining vulnerabilities during routine operations as determined necessary by the provider.

Applies to: Low

Providers SHOULD make all recent historical vulnerability detection and response activity available in a machine-readable format for automated retrieval by all necessary parties (e.g. using an API service or similar); this information SHOULD be updated persistently, at least once every 14 days.

Applies to: Moderate

Providers SHOULD persistently perform vulnerability detection on representative samples of similar machine-based information resources, at least once every 3 days.

Applies to: Moderate

Providers SHOULD persistently perform vulnerability detection on all information resources that are likely to drift, at least once every 14 days.

Applies to: Moderate

Providers SHOULD persistently perform vulnerability detection on all information resources that are NOT likely to drift, at least once per month.

Applies to: Moderate

Providers SHOULD evaluate ALL vulnerabilities as required by FRR-VDR-07, FRR-VDR-08, and FRR-VDR-09 within 5 days of detection.

Applies to: Moderate

Providers SHOULD treat internet-reachable likely exploitable vulnerabilities with a potential adverse impact of N4 or N5 as a security incident until they are partially mitigated to N3 or below.

Applies to: Moderate

Providers SHOULD partially mitigate, fully mitigate, or remediate vulnerabilities to a lower potential adverse impact within the timeframes from evaluation shown below, factoring for the current potential adverse impact, internet reachability, and likely exploitability:

Applies to: Moderate

Providers SHOULD mitigate or remediate remaining vulnerabilities during routine operations as determined necessary by the provider.

Applies to: Moderate

Providers SHOULD make all recent historical vulnerability detection and response activity available in a machine-readable format for automated retrieval by all necessary parties (e.g. using an API service or similar); this information SHOULD be updated persistently, at least once every 7 days.

Applies to: High

Providers SHOULD persistently perform vulnerability detection on representative samples of similar machine-based information resources, at least once per day.

Applies to: High

Providers SHOULD persistently perform vulnerability detection on all information resources that are likely to drift, at least once every 7 days.

Applies to: High

Providers SHOULD persistently perform vulnerability detection on all information resources that are NOT likely to drift, at least once every month.

Applies to: High

Providers SHOULD evaluate ALL vulnerabilities as required by FRR-VDR-07, FRR-VDR-08, and FRR-VDR-09 within 2 days of detection.

Applies to: High

Providers SHOULD treat internet-reachable likely exploitable vulnerabilities with a potential adverse impact of N4 or N5 as a security incident until they are partially mitigated to N3 or below.

Applies to: High

Providers SHOULD treat likely exploitable vulnerabilities that are NOT internet-reachable with a potential adverse impact of N5 as a security incident until they are partially mitigated to N4 or below.

Applies to: High

Providers SHOULD partially mitigate vulnerabilities to a lower potential adverse impact within the maximum time-frames from evaluation shown below, factoring for the current potential adverse impact, internet reachability, and likely exploitability:

Applies to: High

Providers SHOULD mitigate or remediate remaining vulnerabilities during routine operations as determined necessary by the provider.

Applies to: High

Agencies SHOULD review the information provided in vulnerability reports at appropriate and reasonable intervals commensurate with the expectations and risk posture indicated by their Authorization to Operate, and SHOULD use automated processing and filtering of machine readable information from cloud service providers.

Note: FedRAMP recommends that agencies only review overdue and accepted vulnerabilities with a potential adverse impact of N3 or higher unless the cloud service provider recommends mitigations or the service is included in a higher risk federal information system. Furthermore, accepted vulnerabilities generally only need to be reviewed when they are added or during an updated risk assessment due to changes in the agency’s use or authorization.

Applies to: Low, Moderate, High

Agencies SHOULD use vulnerability information reported by the Provider to maintain Plans of Action & Milestones for agency security programs when relevant according to agency security policies (such as if the agency takes action to mitigate the risk of exploitation or authorized the continued use of a cloud service with accepted vulnerabilities that put agency information systems at risk).

Applies to: Low, Moderate, High

Agencies SHOULD NOT request additional information from cloud service providers that is not required by this FedRAMP standard UNLESS the head of the agency or an authorized delegate makes a determination that there is a demonstrable need for such.

Note: This is related to the Presumption of Adequacy directed by 44 USC § 3613 (e).

Applies to: Low, Moderate, High

Agencies MUST inform FedRAMP after requesting any additional vulnerability information or materials from a cloud service provider beyond those required by this policy by sending a notification to info@fedramp.gov.

Note: This is an OMB policy; agencies are required to notify FedRAMP in OMB Memorandum M-24-15 section IV (a).

Applies to: Low, Moderate, High