FRD-LEVVulnerabilityImplementation guide coming soon

Likely Exploitable Vulnerability (LEV)

Also: likely exploitable vulnerability, likely exploitable vulnerabilities, LEV, LEVs, NLEV, NLEVs

Definition

Verbatim from FedRAMP/rules

A vulnerability that is not fully mitigated AND is reachable by a likely threat actor; AND a likely threat actor with knowledge of the vulnerability would likely gain unauthorized access, cause harm, disrupt operations, or otherwise have an undesired adverse impact within the cloud service offering by exploiting the vulnerability.

Notes

At the absolute minimum, any vulnerability that an automated unauthenticated system can exploit over the internet is a likely exploitable vulnerability.
The opposite of this is a Not Likely Exploitable Vulnerability (NLEV).

Used in 5 rule requirements

This term is a defined part of the following FedRAMP rule requirements — when it appears in a rule, this definition applies precisely.

VDR-EVA-ELX VDR-RPT-AVI VDR-RPT-VDT VDR-TFR-IRI VDR-TFR-NRI

Change history

2026-07-04Initial reset for the Consolidated Rules for 2026 Public Preview.