VDR-TFR-PSDAll frameworksImplementation guide coming soon

Persistent Sample Detection

Vulnerability Detection and Response (VDR) · Timeframes

Applies to: Providers

Who this applies to: Providers
Service class: Varies: A, B, C, D
Force: Varies by class
Timeframe: No fixed timeframe

Reviewed implementation guidance for VDR-TFR-PSD is not published yet. The official source below remains complete and authoritative.

Official FedRAMP source

Verbatim from FedRAMP/rules

This requirement varies by FedRAMP Certification class. Each class has its own statement:

Class A

SHOULD 14 days

Providers with Class A Certifications SHOULD persistently perform vulnerability detection on representative samples of similar machine-based information resources, at least once every 14 days.

Class B

SHOULD 7 days

Providers with Class B Certifications SHOULD persistently perform vulnerability detection on representative samples of similar machine-based information resources, at least once every 7 days.

Class C

SHOULD 3 days

Providers with Class C Certifications SHOULD persistently perform vulnerability detection on representative samples of similar machine-based information resources, at least once every 3 days.

Class D

SHOULD 1 days

Providers with Class D Certifications SHOULD persistently perform vulnerability detection on representative samples of similar machine-based information resources, at least once per day.

Defined terms in this requirement

Information Resource Machine-Based (Information Resources)Persistently Provider Vulnerability Vulnerability Detection

Change history

2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.