VDR-RPT-VDTMUSTAll frameworksImplementation guide coming soonVulnerability Details
Vulnerability Detection and Response (VDR) · Reporting
Applies to: Providers
- Who this applies to
- Providers
- Service class
- All service classes
- Force
- MUST
- Timeframe
- No fixed timeframe
Reviewed implementation guidance for VDR-RPT-VDT is not published yet. The official source below remains complete and authoritative.
Information required
- Provider's internally assigned tracking identifier
- Time and source of the detection
- Time of completed evaluation
- Is it an internet-reachable vulnerability or not?
- Is it a likely exploitable vulnerability or not?
- Historically and currently estimated Potential Agency Impact N-rating of exploitation
- Time and Potential Agency Impact N-rating of each completed and evaluated reduction in Potential Agency Impact N-rating
- Estimated time and target Potential Agency Impact N-rating of next reduction in Potential Agency Impact N-rating
- Is it currently or is it likely to become an overdue vulnerability or not? If so, explain.
- Any supplementary information the provider responsibly determines will help federal agencies assess or mitigate the risk to their federal customer data within the cloud service offering resulting from the vulnerability
- Final disposition of the vulnerability
Official FedRAMP source
Verbatim from FedRAMP/rules
Providers MUST include the following information (if applicable) on detected vulnerabilities when reporting on vulnerability detection and response activity, UNLESS it is an accepted vulnerability:
Defined terms in this requirement
Change history
2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.
Content provenance
Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.