Skip to main content
WhyHow It WorksFeaturesPricingBlog
Sign inRequest demo
VDR-TFR-PVRAll frameworksImplementation guide coming soon

Mitigation and Remediation Expectations

Vulnerability Detection and Response (VDR) · Timeframes

Applies to: Providers
Who this applies to
Providers
Service class
Varies: A, B, C, D
Force
Varies by class
Timeframe
No fixed timeframe

Reviewed implementation guidance for VDR-TFR-PVR is not published yet. The official source below remains complete and authoritative.

Official FedRAMP source

Verbatim from FedRAMP/rules

This requirement varies by FedRAMP Certification class. Each class has its own statement:

Class A

SHOULD
Providers with Class A Certifications SHOULD partially mitigate vulnerabilities, fully mitigate vulnerabilities, or remediate vulnerabilities to a lower potential adverse impact within the timeframes from evaluation shown below, factoring for the current Potential Agency Impact N-rating, internet reachability, and likely exploitability.

Class B

SHOULD
Providers with Class B Certifications SHOULD partially mitigate vulnerabilities, fully mitigate vulnerabilities, or remediate vulnerabilities to a lower potential adverse impact within the timeframes from evaluation shown below, factoring for the current Potential Agency Impact N-rating, internet reachability, and likely exploitability:

Class C

SHOULD
Providers with Class C Certifications SHOULD partially mitigate vulnerabilities, fully mitigate vulnerabilities, or remediate vulnerabilities to a lower Potential Agency Impact N-rating within the timeframes from evaluation shown below, factoring for the current Potential Agency Impact N-rating, internet reachability, and likely exploitability:

Class D

SHOULD
Providers with Class D Certifications SHOULD partially mitigate vulnerabilities, fully mitigate vulnerabilities, or remediate vulnerabilities to a lower Potential Agency Impact N-rating within the maximum timeframes from evaluation shown below, factoring for the current Potential Agency Impact N-rating, internet reachability, and likely exploitability:

Defined terms in this requirement

AgencyFully Mitigated VulnerabilityLikelyPartially Mitigated VulnerabilityPotential Agency ImpactProviderRemediated VulnerabilityVulnerability

Change history

  • 2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.