VDR-EVA-EPAMUSTAll frameworksImplementation guide coming soon

Estimate Potential Adverse Impact

Vulnerability Detection and Response (VDR) · Evaluation

Applies to: Providers

Who this applies to: Providers
Service class: All service classes
Force: MUST
Timeframe: No fixed timeframe

Reviewed implementation guidance for VDR-EVA-EPA is not published yet. The official source below remains complete and authoritative.

Information required

N1: Exploitation could be expected to have minimal customer effects on one or more agencies that use the cloud service offering.
N2: Exploitation could be expected to have narrow customer effects on one or more agencies that use the cloud service offering.
N3: Exploitation could be expected to have a disruptive customer effect on one agency that uses the cloud service offering.
N4: Exploitation could be expected to have a debilitating customer effect on one agency that uses the cloud service offering OR a disruptive customer effect on more than one federal agency that uses the cloud service offering.
N5: Exploitation could be expected to have a debilitating customer effect on more than one agency that uses the cloud service offering.

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers MUST evaluate detected vulnerabilities, considering the context of the cloud service offering, to estimate the potential adverse impact of exploitation on government customers AND assign one of the following Potential Agency Impact N-ratings (PAIN):

Defined terms in this requirement

Agency Cloud Service Offering Debilitating Customer Effect Disruptive Customer Effect Minimal Customer Effect Narrow Customer Effect Potential Agency Impact Provider Vulnerability Vulnerability Detection

Change history

2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.