Vulnerability
Also: vulnerability, vulnerabilities
Definition
Verbatim from FedRAMP/rules
Has the meaning given to "security vulnerability" in 6 USC § 650 (25), which is "any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of [...] management, operational, and technical controls used to protect against an unauthorized effort to adversely affect the confidentiality, integrity, and availability of an information system or its information." This includes gaps in Rev5 controls and 20x Key Security Indicators, software vulnerabilities, misconfigurations, exposures, weak credentials, insecure services, and all other such potential weaknesses in protection (intentional or unintentional).
Used in 40 rule requirements
This term is a defined part of the following FedRAMP rule requirements — when it appears in a rule, this definition applies precisely.
CCM-OCR-AVLIFR-CLA-AFROFR-AFR-VDRSCN-ADP-NTFSCN-CSO-INFSCN-RTR-NNRSCN-TRF-NAVVDR-BST-ADTVDR-BST-AKEVDR-BST-DACVDR-BST-DFRVDR-BST-MSPVDR-BST-SIRVDR-CSO-DETVDR-CSO-FAVVDR-CSO-RESVDR-EVA-EFAVDR-EVA-EFPVDR-EVA-EIRVDR-EVA-ELXVDR-EVA-EPAVDR-EVA-GRVVDR-RPT-AVIVDR-RPT-HLOVDR-RPT-NIDVDR-RPT-PERVDR-RPT-RPDVDR-RPT-VDTVDR-TFR-EVUVDR-TFR-IRIVDR-TFR-KEVVDR-TFR-MAVVDR-TFR-MHRVDR-TFR-MRHVDR-TFR-NRIVDR-TFR-PCDVDR-TFR-PDDVDR-TFR-PSDVDR-TFR-PVRVDR-TFR-RMN
Referenced by 3 KSIs
References
Change history
2026-07-04Initial reset for the Consolidated Rules for 2026 Public Preview.