Skip to main content
Pricing
Sign inRequest demo
VER-TFR-MAVMUSTAll frameworksImplementation guide coming soon

Mark Accepted Vulnerabilities

Vulnerability Evaluation and Reporting (VER) · Timeframes

Applies to: ProvidersTimeframe: 192 days
Who this applies to
Providers
Service class
All service classes
Force
MUST
Timeframe
192 days

Reviewed implementation guidance for VER-TFR-MAV is not published yet. The official source below remains complete and authoritative.

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers MUST categorize any vulnerability that is not or will not be fully mitigated or remediated within 192 days of evaluation as an accepted vulnerability.

Defined terms in this requirement

Operationalize this rule

Boundera turns FedRAMP 20x requirements like VER-TFR-MAV into assigned evidence, remediation work, and validation workflows.

Request demo

Change history

  • 2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.