VDR-TFR-KEVSHOULDAll frameworksImplementation guide coming soon

Remediate KEVs

Vulnerability Detection and Response (VDR) · Timeframes

Applies to: Providers

Who this applies to: Providers
Service class: All service classes
Force: SHOULD
Timeframe: No fixed timeframe

Reviewed implementation guidance for VDR-TFR-KEV is not published yet. The official source below remains complete and authoritative.

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers SHOULD remediate Known Exploited Vulnerabilities according to the due dates in the CISA Known Exploited Vulnerabilities Catalog (even if the vulnerability has been fully mitigated) as required by CISA Binding Operational Directive (BOD) 22-01 or any successor guidance from CISA.

Defined terms in this requirement

Known Exploited Vulnerability (KEV)Provider Vulnerability

References

CISA BOD 22-01

Change history

2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.