Vulnerability Evaluation and Reporting¶
The Vulnerability Evaluation and Reporting rules require cloud service providers to determine when vulnerabilities are likely to impact federal customers and report the status of such vulnerabilities to all necessary parties.
Agency Guidance¶
These rules for agencies apply to all agencies using a FedRAMP Certification.
Notify FedRAMP¶
VER-AGM-NFR
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
This FRR includes a notification requirement!
- Notify FedRAMP by email using info@fedramp.gov.
Agencies MUST notify FedRAMP after requesting any additional vulnerability information or materials from a cloud service provider beyond those FedRAMP requires by sending a notification to info@fedramp.gov.
Note: This is an OMB policy; agencies are required to notify FedRAMP in OMB Memorandum M-24-15 section IV (a).
Terms: Vulnerability
Review Vulnerability Reports¶
VER-AGM-RVR
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Agencies SHOULD review the information provided in vulnerability reports at appropriate and reasonable intervals commensurate with the expectations and risk posture indicated by their Authorization to Operate, and SHOULD use automated processing and filtering of machine readable information from cloud service providers.
Note: FedRAMP recommends that agencies only review overdue and accepted vulnerabilities Potential Agency Impact N-rating > 2 unless the cloud service provider recommends mitigations or the service is included in a higher risk federal information system. Furthermore, accepted vulnerabilities generally only need to be reviewed when they are added or during an updated risk assessment due to changes in the agency's use or authorization.
Terms: Accepted Vulnerability, Potential Agency Impact, Vulnerability
Maintain Agency Plans of Action and Milestones¶
VER-AGM-MAP
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Agencies SHOULD use vulnerability information reported by the Provider to maintain Plans of Action and Milestones for agency security programs when relevant according to agency security policies (such as if the agency takes action to mitigate the risk of exploitation or authorized the continued use of a cloud service with accepted vulnerabilities that put agency information systems at risk).
Terms: Accepted Vulnerability, FedRAMP Certified, Vulnerability
Do Not Request Extra Info¶
VER-AGM-DRE
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Agencies SHOULD NOT request additional information from cloud service providers that is not required by the FedRAMP Vulnerability Detection and Response rules UNLESS the head of the agency or an authorized delegate makes a determination that there is a demonstrable need for such.
Note: This is related to the Presumption of Adequacy directed by 44 USC ยง 3613 (e).
Terms: FedRAMP Certified, Vulnerability, Vulnerability Detection, Vulnerability Response