Skip to main content
WhyHow It WorksFeaturesPricingBlog
Sign inRequest demo
VDR-TFR-EVUAll frameworksImplementation guide coming soon

Evaluate Vulnerabilities Quickly

Vulnerability Detection and Response (VDR) · Timeframes

Applies to: Providers
Who this applies to
Providers
Service class
Varies: A, B, C, D
Force
Varies by class
Timeframe
No fixed timeframe

Reviewed implementation guidance for VDR-TFR-EVU is not published yet. The official source below remains complete and authoritative.

Official FedRAMP source

Verbatim from FedRAMP/rules

This requirement varies by FedRAMP Certification class. Each class has its own statement:

Class A

SHOULD 14 days
Providers with Class A Certifications SHOULD evaluate ALL vulnerabilities as required by VDR-EVA (Evaluation) within 14 days of detection.

Class B

SHOULD 7 days
Providers with Class B Certifications SHOULD evaluate ALL vulnerabilities as required by VDR-EVA (Evaluation) within 7 days of detection.

Class C

SHOULD 5 days
Providers with Class C Certifications SHOULD evaluate ALL vulnerabilities as required by VDR-EVA (Evaluation) within 5 days of detection.

Class D

SHOULD 2 days
Providers with Class D Certifications SHOULD evaluate ALL vulnerabilities as required by VDR-EVA (Evaluation) within 2 days of detection.

Defined terms in this requirement

ProviderVulnerabilityVulnerability Detection

Change history

  • 2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.