VDR-TFR-MHRMUSTAll frameworksImplementation guide coming soon

Monthly Activity Report

Vulnerability Detection and Response (VDR) · Timeframes

Applies to: ProvidersTimeframe: 1 month

Who this applies to: Providers
Service class: All service classes
Force: MUST
Timeframe: 1 month

Reviewed implementation guidance for VDR-TFR-MHR is not published yet. The official source below remains complete and authoritative.

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers MUST report vulnerability detection and response activity to all necessary parties in a consistent format that is human readable at least monthly.

Defined terms in this requirement

All Necessary Parties Provider Vulnerability Vulnerability Detection Vulnerability Response

Change history

2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.