VDR-EVA-ELXMUSTAll frameworksImplementation guide coming soon

Evaluate Exploitability

Vulnerability Detection and Response (VDR) · Evaluation

Applies to: Providers

Who this applies to: Providers
Service class: All service classes
Force: MUST
Timeframe: No fixed timeframe

Reviewed implementation guidance for VDR-EVA-ELX is not published yet. The official source below remains complete and authoritative.

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers MUST evaluate detected vulnerabilities, considering the context of the cloud service offering, to determine if they are likely exploitable vulnerabilities.

Defined terms in this requirement

Cloud Service Offering Likely Likely Exploitable Vulnerability (LEV)Provider Regularly Vulnerability Vulnerability Detection

Notes

The simple reality is that most traditional vulnerabilities discovered by scanners or during assessment are not likely to be exploitable; exploitation typically requires an unrealistic set of circumstances that will not occur during normal operation. The likelihood of exploitation will vary depending on so many factors that FedRAMP will not recommend a specific framework for approaching this beyond these rules.
The proof, ultimately, is in the pudding - providers who regularly evaluate vulnerabilities as not likely exploitable without careful consideration are more likely to suffer from an adverse impact where the root cause was an exploited vulnerability that was improperly evaluated. If done recklessly or deliberately, such actions will have a negative impact on a provider's FedRAMP Certification.

Change history

2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.