VDR-RPT-PERMUSTAll frameworksImplementation guide coming soon

Persistent Reporting

Vulnerability Detection and Response (VDR) · Reporting

Applies to: Providers

Who this applies to: Providers
Service class: All service classes
Force: MUST
Timeframe: No fixed timeframe

Reviewed implementation guidance for VDR-RPT-PER is not published yet. The official source below remains complete and authoritative.

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers MUST report vulnerability detection and response activity (including persistent verification and validation) to all necessary parties persistently, summarizing ALL activity since the previous report; these reports are FedRAMP Certification Data and are subject to FedRAMP Certification Data Sharing rules.

Defined terms in this requirement

All Necessary Parties Certification Data Persistently Provider Validation Verification Vulnerability Vulnerability Detection Vulnerability Response

Change history

2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.