Skip to main content
WhyHow It WorksFeaturesPricingBlog
Sign inRequest demo
OFR-AFR-VDRMUSTAll frameworksPartial review

Vulnerability Detection and Response

Ongoing FedRAMP Certification (OFR) · Addressing FedRAMP Rules

Applies to: Providers
Who this applies to
Providers
Service class
All service classes
Force
MUST
Timeframe
No fixed timeframe

What your CSP needs to do

A CSP needs a repeatable vulnerability detection program that covers its in-scope technology, uses authenticated techniques where appropriate, and produces evidence that findings are tracked to an allowed disposition.

The illustrative example below demonstrates only the Qualys-backed portion of that program. It is intentionally narrower than a complete VDR implementation. The evidence originated under the earlier KSI-AFR-VDR evaluation model and is mapped here to the current provider-addressed OFR-AFR-VDR requirement.

What passing evidence looks like

Use evidence that ties each narrative claim to a passing assertion. Scanner screenshots alone are weaker than exportable scan records, asset inventory, authentication configuration, and finding lifecycle data.

Illustrative CSP example

Evidence-grounded draft

Example organization: ExampleCloud. This is Boundera-authored implementation material, not official FedRAMP guidance.

Sample implementation narrative

ExampleCloud uses Qualys to run recurring scheduled vulnerability scans against represented compute assets. Authenticated scanning is configured for operating-system and PostgreSQL targets, and the vulnerability workflow tracks container software findings that meet the defined passing condition. The resulting scan, inventory, authentication, and finding records provide machine-readable evidence of the vulnerability detection activities demonstrated in this example.

Evidence supporting the narrative

Recent scheduled vulnerability scans

Qualys · scan records · recurring

Automated

Passing condition: Scheduled scans completed within the expected collection window.

Assertions: qualys_scans_recent

Represented compute inventory

Qualys · asset inventory · recurring

Automated

Passing condition: In-scope compute assets appear in the scanner inventory.

Assertions: qualys_host_inventory_seen

Authenticated scan configuration

Qualys · scanner configuration · recurring

Automated

Passing condition: An option profile and database authentication record demonstrate authenticated scanning.

Assertions: qualys_option_profile_authenticated, qualys_db_auth_record_present

Container vulnerability findings

Qualys · vulnerability records · recurring

Automated

Passing condition: Findings are remediated, accepted, or below the configured high-severity threshold.

Assertions: qualys_container_vulnerabilities

What this example does not prove

  • The inspected evidence did not demonstrate enabled AWS GuardDuty.
  • The inspected evidence did not demonstrate available AWS Security Hub.
  • The inspected evidence did not demonstrate active Azure Defender.
  • The inspected evidence did not include a manual VDR methodology report.

What an assessor may challenge

  1. Claiming a cloud-native detection service is enabled when the connector reports that it is disabled or unavailable.
  2. Treating a scanner inventory as proof that every authorization-boundary asset is covered.
  3. Describing a vulnerability methodology document that was not supplied as evidence.

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers MUST follow and persistently address the FedRAMP Vulnerability Detection and Response (VDR) rules, based on the applicability and effective date(s) in those rules.

Defined terms in this requirement

PersistentlyProviderVulnerabilityVulnerability DetectionVulnerability Response

NIST 800-53 crosswalk

ca-2, ca-7, ca-7.6, ir-1, ir-4, ir-4.1, ir-5, ir-5.1, ir-6, ir-6.1, ir-6.2, pm-3, pm-5, pm-31, ra-2, ra-2.1, ra-3, ra-3.3, ra-5, ra-5.2, ra-5.3, ra-5.4, ra-5.5, ra-5.6, ra-5.7, ra-5.11, ra-9, ra-10, si-2, si-2.1, si-2.2, si-2.4, si-2.5, si-3, si-3.1, si-3.2, si-4, si-4.2, si-4.3, si-4.7, ca-7.4, ra-7

References

Vulnerability Detection and Response

Change history

  • 2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.

Guidance authors: Boundera Engineering.