VER-EVA-EPAMUSTAll frameworksImplementation guide coming soonEstimate Potential Agency Impact
Vulnerability Evaluation and Reporting (VER) · Evaluation
Applies to: Providers
- Who this applies to
- Providers
- Service class
- All service classes
- Force
- MUST
- Timeframe
- No fixed timeframe
Reviewed implementation guidance for VER-EVA-EPA is not published yet. The official source below remains complete and authoritative.
Information required
- N1: Exploitation could be expected to have minimal customer effects on one or more agencies that use the cloud service offering.
- N2: Exploitation could be expected to have narrow customer effects on one or more agencies that use the cloud service offering.
- N3: Exploitation could be expected to have a disruptive customer effect on one agency that uses the cloud service offering.
- N4: Exploitation could be expected to have a debilitating customer effect on one agency that uses the cloud service offering OR a disruptive customer effect on more than one federal agency that uses the cloud service offering.
- N5: Exploitation could be expected to have a debilitating customer effect on more than one agency that uses the cloud service offering.
Official FedRAMP source
Verbatim from FedRAMP/rules
Providers MUST evaluate detected vulnerabilities, considering the context of the cloud service offering, to estimate the potential agency impact of exploitation on government customers AND assign one of the following Potential Agency Impact N-ratings (PAIN):
Defined terms in this requirement
Change history
2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.
Content provenance
Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.