VER-EVA-GRVSHOULDAll frameworksImplementation guide coming soonGroup Vulnerabilities
Vulnerability Evaluation and Reporting (VER) · Evaluation
Applies to: Providers
- Who this applies to
- Providers
- Service class
- All service classes
- Force
- SHOULD
- Timeframe
- No fixed timeframe
Reviewed implementation guidance for VER-EVA-GRV is not published yet. The official source below remains complete and authoritative.
Official FedRAMP source
Verbatim from FedRAMP/rules
Providers SHOULD evaluate detected vulnerabilities, considering the context of the cloud service offering, to identify logical groupings of affected information resources that may improve the efficiency and effectiveness of vulnerability response by consolidating further activity; FedRAMP Vulnerability Detection and Response rules are then applied to these consolidated groupings of vulnerabilities instead of each individual detected instance.
Defined terms in this requirement
Change history
2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.
Content provenance
Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.