VER-RPT-AVIMUSTAll frameworksImplementation guide coming soonAccepted Vulnerability Info
Vulnerability Evaluation and Reporting (VER) · Reporting
Applies to: Providers
- Who this applies to
- Providers
- Service class
- All service classes
- Force
- MUST
- Timeframe
- No fixed timeframe
Reviewed implementation guidance for VER-RPT-AVI is not published yet. The official source below remains complete and authoritative.
Information required
- Provider's internally assigned tracking identifier
- Time and source of the detection
- Time of completed evaluation
- Is it an internet-reachable vulnerability or not?
- Is it a likely exploitable vulnerability or not?
- Currently estimated Potential Agency Impact N-rating
- Explanation of why this is an accepted vulnerability
- Any supplementary information the provider determines will responsibly help federal agencies assess or mitigate the risk to their federal customer data within the cloud service offering resulting from the accepted vulnerability
Expected evidence artifacts
- A recent vulnerability report or a sample vulnerability report
Official FedRAMP source
Verbatim from FedRAMP/rules
Providers MUST include the following information on accepted vulnerabilities when reporting on vulnerability detection and response activity:
Defined terms in this requirement
Change history
2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.
Content provenance
Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.