Skip to main content
Pricing
Sign inRequest demo
VER-RPT-VDTMUSTAll frameworksImplementation guide coming soon

Vulnerability Details

Vulnerability Evaluation and Reporting (VER) · Reporting

Applies to: Providers
Who this applies to
Providers
Service class
All service classes
Force
MUST
Timeframe
No fixed timeframe

Reviewed implementation guidance for VER-RPT-VDT is not published yet. The official source below remains complete and authoritative.

Information required

  • Provider's internally assigned tracking identifier
  • Time and source of the detection
  • Time of completed evaluation
  • Is it an internet-reachable vulnerability or not?
  • Is it a likely exploitable vulnerability or not?
  • Historically and currently estimated Potential Agency Impact N-rating of exploitation
  • Time and Potential Agency Impact N-rating of each completed and evaluated reduction in Potential Agency Impact N-rating
  • Estimated time and target Potential Agency Impact N-rating of next reduction in Potential Agency Impact N-rating
  • Is it currently or is it likely to become an overdue vulnerability or not? If so, explain.
  • Any supplementary information the provider responsibly determines will help federal agencies assess or mitigate the risk to their federal customer data within the cloud service offering resulting from the vulnerability
  • Final disposition of the vulnerability

Expected evidence artifacts

  • A recent vulnerability report or a sample vulnerability report

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers MUST include the following information (if applicable) on detected vulnerabilities when reporting on vulnerability detection and response activity, UNLESS it is an accepted vulnerability:

Defined terms in this requirement

Operationalize this rule

Boundera turns FedRAMP 20x requirements like VER-RPT-VDT into assigned evidence, remediation work, and validation workflows.

Request demo

Change history

  • 2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.