Skip to main content
Pricing
Sign inRequest demo
VER-EVA-EFASHOULDAll frameworksImplementation guide coming soon

Evaluation Factors

Vulnerability Evaluation and Reporting (VER) · Evaluation

Applies to: Providers
Who this applies to
Providers
Service class
All service classes
Force
SHOULD
Timeframe
No fixed timeframe

Reviewed implementation guidance for VER-EVA-EFA is not published yet. The official source below remains complete and authoritative.

Information required

  • Criticality: How important are the systems or information that might be impacted by the vulnerability?
  • Reachability: How might a threat actor reach the vulnerability and how likely is that?
  • Exploitability: How easy is it for a threat actor to exploit the vulnerability and how likely is that?
  • Detectability: How easy is it for a threat actor to become aware of the vulnerability and how likely is that?
  • Prevalence: How much of the cloud service offering is affected by the vulnerability?
  • Privilege: How much privileged authority or access is granted or can be gained from exploiting the vulnerability?
  • Proximate Vulnerabilities: How does this vulnerability interact with previously detected vulnerabilities, especially partially or fully mitigated vulnerabilities?
  • Known Threats: How might already known threats leverage the vulnerability and how likely is that?

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers SHOULD consider at least the following factors when considering the context of the cloud service offering to evaluate detected vulnerabilities:

Defined terms in this requirement

Operationalize this rule

Boundera turns FedRAMP 20x requirements like VER-EVA-EFA into assigned evidence, remediation work, and validation workflows.

Request demo

Change history

  • 2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.