VDR-TFR-NRIAll frameworksImplementation guide coming soonNon-Internet-Reachable Incidents
Vulnerability Detection and Response (VDR) · Timeframes
Applies to: Providers
- Who this applies to
- Providers
- Service class
- Varies: A, B, C, D
- Force
- Varies by class
- Timeframe
- No fixed timeframe
Reviewed implementation guidance for VDR-TFR-NRI is not published yet. The official source below remains complete and authoritative.
Official FedRAMP source
Verbatim from FedRAMP/rules
This requirement varies by FedRAMP Certification class. Each class has its own statement:
Class A
MAYProviders with Class A Certifications MAY treat likely exploitable vulnerabilities that are NOT internet-reachable where Potential Agency Impact N-rating = 5 as a FedRAMP Reportable Incident until they are partially mitigated vulnerabilities at N4 or below.
Class B
MAYProviders with Class B Certifications MAY treat likely exploitable vulnerabilities that are NOT internet-reachable where Potential Agency Impact N-rating = 5 as a FedRAMP Reportable Incident until they are partially mitigated vulnerabilities at N4 or below.
Class C
MAYProviders with Class C Certifications MAY treat likely exploitable vulnerabilities that are NOT internet-reachable where Potential Agency Impact N-rating = 5 as a FedRAMP Reportable Incident until they are partially mitigated vulnerabilities at N4 or below.
Class D
SHOULDProviders with Class D Certifications SHOULD treat likely exploitable vulnerabilities that are NOT internet-reachable where Potential Agency Impact N-rating = 5 as a FedRAMP Reportable Incident until they are partially mitigated vulnerabilities at N4 or below.
Defined terms in this requirement
Change history
2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.
Content provenance
Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.