VDR-TFR-MAVMUSTAll frameworksImplementation guide coming soon

Mark Accepted Vulnerabilities

Vulnerability Detection and Response (VDR) · Timeframes

Applies to: ProvidersTimeframe: 192 days

Who this applies to: Providers
Service class: All service classes
Force: MUST
Timeframe: 192 days

Reviewed implementation guidance for VDR-TFR-MAV is not published yet. The official source below remains complete and authoritative.

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers MUST categorize any vulnerability that is not or will not be fully mitigated or remediated within 192 days of evaluation as an accepted vulnerability.

Defined terms in this requirement

Accepted Vulnerability Provider Vulnerability

Change history

2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.