VDR-EVA-GRVSHOULDAll frameworksImplementation guide coming soon

Group Vulnerabilities

Vulnerability Detection and Response (VDR) · Evaluation

Applies to: Providers

Who this applies to: Providers
Service class: All service classes
Force: SHOULD
Timeframe: No fixed timeframe

Reviewed implementation guidance for VDR-EVA-GRV is not published yet. The official source below remains complete and authoritative.

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers SHOULD evaluate detected vulnerabilities, considering the context of the cloud service offering, to identify logical groupings of affected information resources that may improve the efficiency and effectiveness of vulnerability response by consolidating further activity; FedRAMP Vulnerability Detection and Response rules are then applied to these consolidated groupings of vulnerabilities instead of each individual detected instance.

Defined terms in this requirement

Cloud Service Offering Information Resource Provider Vulnerability Vulnerability Detection Vulnerability Response

Change history

2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.