Vulnerability Detection and Response¶
The Vulnerability Detection and Response rules require providers to continuously identify, analyze, prioritize, mitigate, and remediate vulnerabilities and related exposures through automated systems. These rules give providers flexibility in implementation while ensuring agencies receive the information needed to support ongoing authorization decisions.
FedRAMP Responsibilities¶
These rules apply to FedRAMP when setting expectations for specific cloud service providers.
Additional Requirements¶
VDR-FRP-ARP
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
FedRAMP MAY require providers to share additional vulnerability information, alternative reports, or to report at an alternative frequency as a condition of a FedRAMP Corrective Action Plan or other agreements with federal agencies.
Terms: Vulnerability
Sensitive Details¶
VDR-FRP-ADV
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
FedRAMP MAY require providers to share additional information or details about vulnerabilities, including sensitive information that would likely lead to exploitation, as part of review, response or investigation by necessary parties.
Terms: Likely, Vulnerability, Vulnerability Response