FedRAMP Response to CISA BOD 26-04 (Prioritizing Security Updates Based on Risk)

NTC-0014 published at Tue, 16 Jun 2026 13:35:00 GMT // Markdown Version

On June 10, 2026, CISA released Binding Operational Directive 26-04: Prioritizing Security Updates Based on Risk. This Binding Operational Directive (BOD)reprioritizes vulnerability remediation based on public exposure, Known Exploited Vulnerability status, automatability, and technical impact.

This Public Notice explains that FedRAMP will now require mandatory adoption of the new FedRAMP Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules by December 7, 2026 to align with CISA BOD 26-04.

Alignment with Updated FedRAMP Rules

This CISA BOD strongly aligns with FedRAMP’s upcoming Vulnerability Detection and Response (VDR) and Vulnerability Evaluation and Reporting (VER) rules that will be finalized with the Consolidated Rules for 2026 by the end of June. These rules were introduced originally in August of 2025 in RFC-0012 then released as the VDR process in late 2025 for FedRAMP 20x. A Rev5 Open Beta of the VDR ran from February to May of this year.

Cloud service providers should be familiar with the VDR and the planned migration of all services from legacy vulnerability scanning to an exposure and threat-based approach. The VER, first introduced in the Public Preview of the Consolidated Rules for 2026, contains the evaluation and reporting rules from the VDR in a separate ruleset for convenience.

Any cloud service provider that follows the Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules will meet the timelines, prioritization requirements, and approach set out in BOD 26-04. The VDR and VER rules address BOD 26-04 requirements as follows:

1. VER-EVA-EIR (Evaluate Internet-Reachability) requires an evaluation to determine if vulnerabilities are likely reachable over the internet. This requirement exceeds the BOD 26-04 requirement to evaluate if vulnerabilities are publicly exposed.

2. VER-EVA-ELX (Evaluate Exploitability) requires an evaluation to determine if vulnerabilities are likely exploitable. This addresses the requirements in BOD 26-04 to assess KEV Status and Exploit Automation.

3. VER-EVA-EFA (Evaluation Factors) expects evaluations to consider many factors that supplement the KEV Status, Exploit Automation, and Technical Impact evaluation required by BOD 26-04.

4. VER-EVA-AIA (Assume It’s Automatable) is a new rule added to the VER rules that requires providers to assume exploits are automatable by default, unless they have evidence providing otherwise. This exceeds the requirements in BOD 26-04 to evaluate Exploit Automation.

5. VDR-TFR-KEV (Remediate Kevs) requires the remediation of KEVs according to the timelines in BOD 26-04 unless there are valid technical reasons not to do so.

6. VDR-CSO-RES (Vulnerability Response) requires the ongoing mitigation and remediation of vulnerabilities. This allows flexibility in addressing BOD 26-04 requirements to remediate specific vulnerabilities as cloud service providers may mitigate a vulnerability until it no longer is automatable or internet-reachable and therefore does not require full remediation.

BOD 26-04 requires agencies to update processes along the following timelines:

• By August 7, 2026, agency policies must support ongoing vulnerability remediation.

• By December 7, 2026, agencies must begin evaluating and remediating vulnerabilities following the timelines in BOD 26-04.

FedRAMP has confirmed with CISA that cloud service providers following the Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules will meet or exceed the expectations for the protection of federal information required by BOD 26-04 while providing the necessary assurance to FedRAMP and their agency customers.

Updated Continuous Monitoring Requirements for All Cloud Services

Unfortunately cloud service providers who are not actively working to transition to the new FedRAMP vulnerability rules will not be able to provide the assurance that agencies will require under BOD 26-04; the legacy monthly vulnerability scanning process that most FedRAMP Rev5 Certified cloud services currently follow is insufficient.

An update to the mandatory continuous monitoring processes is required for all FedRAMP Rev5 customers to ensure federal information is appropriately protected by all FedRAMP Certified cloud service offerings in a way that aligns with this updated Binding Operational Directive for the federal government.

Mandatory adoption of the Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules was planned for June 1, 2027 with a grace period extending until January 1, 2028. The release of BOD 26-04 makes it clear that CISA will not accept slow incremental adoption of updated vulnerability detection and response methodologies to protect the U.S. Government. FedRAMP is required to align with guidance from CISA on the protection of federal information and cloud service providers who wish to maintain FedRAMP Certification must be able to meet government-wide assurance requirements such as those in BOD 26-04.

To address BOD 26-04, FedRAMP will update the Consolidated Rules for 2026 prior to final release at the end of June as follows:

1. The Vulnerability Detection and Response rules will be mandatory for all cloud service offerings obtaining or maintaining FedRAMP Certification effective December 7, 2026.

2. The Vulnerability Evaluation and Reporting rules will be mandatory for all cloud service offerings obtaining or maintaining FedRAMP Certification effective December 7, 2026.

3. Additional reporting guidance will be provided for cloud service offerings that are not following the Certification Data Sharing rules yet.

4. FedRAMP will provide a grace period through March 7, 2027 where cloud service offerings may maintain their FedRAMP Certification under a corrective action plan (which will include notice to all agencies). After this date, FedRAMP Certification will be revoked for all cloud service offerings not following these rules.

Providers are fully responsible for ensuring they are aware of and follow FedRAMP Rules to obtain or maintain FedRAMP Certification. FedRAMP will notify all providers using the FedRAMP Security Inbox in addition to this Public Notice, and will communicate this Public Notice over all social media channels.

Please note that these rules may undergo minor changes during the final two weeks of the Public Preview of the Consolidated Rules for 2026. Providers should still familiarize themselves with the rules and begin preparing to follow them as quickly as possible. This notice will be updated once the Consolidated Rules for 2026 are finalized to avoid confusion in the future.

Cloud service providers are reminded that the timeframes stipulated in both FedRAMP’s Rules and CISA’s BOD 26-04 are maximum timeframes. Providers should mitigate and/or remediate vulnerabilities much faster than the maximum timeframe.