VDR-TFR-PDDAll frameworksImplementation guide coming soon

Persistent Drift Detection

Vulnerability Detection and Response (VDR) · Timeframes

Applies to: Providers

Who this applies to: Providers
Service class: Varies: A, B, C, D
Force: Varies by class
Timeframe: No fixed timeframe

Reviewed implementation guidance for VDR-TFR-PDD is not published yet. The official source below remains complete and authoritative.

Official FedRAMP source

Verbatim from FedRAMP/rules

This requirement varies by FedRAMP Certification class. Each class has its own statement:

Class A

SHOULD 3 month

Providers with Class A Certifications SHOULD persistently perform vulnerability detection on all information resources that are likely to drift, at least once every 3 months.

Class B

SHOULD 1 month

Providers with Class B Certifications SHOULD persistently perform vulnerability detection on all information resources that are likely to drift, at least once every month.

Class C

SHOULD 14 days

Providers with Class C Certifications SHOULD persistently perform vulnerability detection on all information resources that are likely to drift, at least once every 14 days.

Class D

SHOULD 7 days

Providers with Class D Certifications SHOULD persistently perform vulnerability detection on all information resources that are likely to drift, at least once every 7 days.

Defined terms in this requirement

Drift Information Resource Likely Persistently Provider Vulnerability Vulnerability Detection

Change history

2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.