Skip to main content
WhyHow It WorksFeaturesPricingBlog
Sign inRequest demo
VDR-RPT-AVIMUSTAll frameworksImplementation guide coming soon

Accepted Vulnerability Info

Vulnerability Detection and Response (VDR) · Reporting

Applies to: Providers
Who this applies to
Providers
Service class
All service classes
Force
MUST
Timeframe
No fixed timeframe

Reviewed implementation guidance for VDR-RPT-AVI is not published yet. The official source below remains complete and authoritative.

Information required

  • Provider's internally assigned tracking identifier
  • Time and source of the detection
  • Time of completed evaluation
  • Is it an internet-reachable vulnerability or not?
  • Is it a likely exploitable vulnerability or not?
  • Currently estimated Potential Agency Impact N-rating
  • Explanation of why this is an accepted vulnerability
  • Any supplementary information the provider determines will responsibly help federal agencies assess or mitigate the risk to their federal customer data within the cloud service offering resulting from the accepted vulnerability

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers MUST include the following information on accepted vulnerabilities when reporting on vulnerability detection and response activity:

Defined terms in this requirement

Accepted VulnerabilityAgencyCloud Service OfferingFederal Customer DataInternet-Reachable Vulnerability (IRV)LikelyLikely Exploitable Vulnerability (LEV)Potential Agency ImpactProviderResponsiblyVulnerabilityVulnerability DetectionVulnerability Response

Change history

  • 2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.