VDR-EVA-EFASHOULDAll frameworksImplementation guide coming soon

Evaluation Factors

Vulnerability Detection and Response (VDR) · Evaluation

Applies to: Providers

Who this applies to: Providers
Service class: All service classes
Force: SHOULD
Timeframe: No fixed timeframe

Reviewed implementation guidance for VDR-EVA-EFA is not published yet. The official source below remains complete and authoritative.

Information required

Criticality: How important are the systems or information that might be impacted by the vulnerability?
Reachability: How might a threat actor reach the vulnerability and how likely is that?
Exploitability: How easy is it for a threat actor to exploit the vulnerability and how likely is that?
Detectability: How easy is it for a threat actor to become aware of the vulnerability and how likely is that?
Prevalence: How much of the cloud service offering is affected by the vulnerability?
Privilege: How much privileged authority or access is granted or can be gained from exploiting the vulnerability?
Proximate Vulnerabilities: How does this vulnerability interact with previously detected vulnerabilities, especially partially or fully mitigated vulnerabilities?
Known Threats: How might already known threats leverage the vulnerability and how likely is that?

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers SHOULD consider at least the following factors when considering the context of the cloud service offering to evaluate detected vulnerabilities:

Defined terms in this requirement

Cloud Service Offering Fully Mitigated Vulnerability Likely Provider Vulnerability Vulnerability Detection

Change history

2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.