VDR-BST-SIRMAYAll frameworksImplementation guide coming soon

Sampling

Vulnerability Detection and Response (VDR) · Best Practices

Applies to: Providers

Who this applies to: Providers
Service class: All service classes
Force: MAY
Timeframe: No fixed timeframe

Reviewed implementation guidance for VDR-BST-SIR is not published yet. The official source below remains complete and authoritative.

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers MAY sample effectively identical information resources, especially machine-based information resources, when performing vulnerability detection UNLESS doing so would decrease the efficiency or effectiveness of vulnerability detection.

Defined terms in this requirement

Information Resource Machine-Based (Information Resources)Provider Vulnerability Vulnerability Detection

Change history

2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.