VDR-TFR-PCDAll frameworksImplementation guide coming soon

Persistently Complete Detection

Vulnerability Detection and Response (VDR) · Timeframes

Applies to: Providers

Who this applies to: Providers
Service class: Varies: A, B, C, D
Force: Varies by class
Timeframe: No fixed timeframe

Reviewed implementation guidance for VDR-TFR-PCD is not published yet. The official source below remains complete and authoritative.

Official FedRAMP source

Verbatim from FedRAMP/rules

This requirement varies by FedRAMP Certification class. Each class has its own statement:

Class A

SHOULD 6 month

Providers with Class A Certifications SHOULD persistently perform vulnerability detection on all information resources that are NOT likely to drift, at least once every 6 months.

Class B

SHOULD 6 month

Providers with Class B Certifications SHOULD persistently perform vulnerability detection on all information resources that are NOT likely to drift, at least once every 6 months.

Class C

SHOULD 1 month

Providers with Class C Certifications SHOULD persistently perform vulnerability detection on all information resources that are NOT likely to drift, at least once every month.

Class D

SHOULD 1 month

Providers with Class D Certifications SHOULD persistently perform vulnerability detection on all information resources that are NOT likely to drift, at least once every month.

Defined terms in this requirement

Drift Information Resource Likely Persistently Provider Vulnerability Vulnerability Detection

Change history

2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.