{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "FedRAMP.schema.json", "info": { "name": "Vulnerability Detection and Response Standard", "short_name": "VDR", "current_release": "25.09B", "types": ["FRR", "FRA"], "note_for_developers": "This release is text-complete but does not have full referenced_fr mappings and other items filled out yet to save time; thanks for your patience!", "releases": [ { "id": "25.09B", "published_date": "2025-09-11", "description": "This update moves the remediation table from FRR-VDR-TF-HI-07 to FRR-VDR-TF-HI-08, adds a clarification on application to Rev5, and fixes a few minor typos. No actual breaking/modifying changes were made to content.", "public_comment": true, "effective": { "20x": { "timeline": { "pilot": { "start_date": "2025-09-15", "designator": "20x", "comment": "Phase One Pilot participants have one year from authorization to fully implement this standard but must demonstrate continuous quarterly progress." } }, "specific_release": "20x.VDR.P2.25.09A", "is_optional": false, "comment": "Phase Two Pilot participants must demonstrate significant progress towards implementing this standard prior to authorization." }, "Rev5": { "timeline": { "closed_beta": { "start_date": "2025-10-08", "is_tentative": true, "designator": "R5.VDR.B1", "comment": "This release is fully optional for Rev5. Cloud service offerings who intend to adopt this standard MUST enroll in the Rev5 VDR Beta(s) and obtain approval from FedRAMP prior to halting any currently required Rev5 Continuous Monitoring process." } }, "is_optional": true, "specific_release": "R5.VDR.B1.25.09A", "comments": [ "Providers should participate in the FedRAMP Rev5 Community Working Group at https://fedramp.gov/community to follow this process and request participation in the Closed Beta.", "FedRAMP is tentatively planning for a Rev5 VDR Open Beta to begin sometime in FY26 Q2 with optional wide release possibly in FY26 Q3 or Q4." ] } } }, { "id": "25.09A", "published_date": "2025-09-10", "description": "Initial release of the Vulnerability Detection and Response Standard", "public_comment": true, "effective": { "20x": { "timeline": { "pilot": { "start_date": "2025-09-15", "designator": "20x", "comment": "Phase One Pilot participants have one year from authorization to fully implement this standard but must demonstrate continuous quarterly progress." } }, "specific_release": "20x.VDR.P2.25.09A", "is_optional": false, "comment": "Phase Two Pilot participants must demonstrate significant progress towards implementing this standard prior to authorization." }, "Rev5": { "timeline": { "closed_beta": { "start_date": "2025-10-08", "is_tentative": true, "designator": "R5.VDR.B1", "comment": "Cloud service offerings MUST be enrolled in the Rev5 VDR Closed Beta and obtain approval from FedRAMP prior to halting any currently required Rev5 Continuous Monitoring process." } }, "is_optional": true, "specific_release": "R5.VDR.B1.25.09A", "comments": [ "Providers should participate in the FedRAMP Rev5 Community Working Group at https://fedramp.gov/community to follow this process and request participation in the Closed Beta.", "FedRAMP is tentatively planning for a Rev5 VDR Open Beta to begin sometime in FY26 Q2 with optional wide release possibly in FY26 Q3 or Q4." ] } }, "related_rfcs": [ { "start_date": "2025-07-15", "end_date": "2025-08-21", "id": "0012", "url": "https://www.fedramp.gov/rfcs/0012/", "discussion_url": "https://github.com/FedRAMP/community/discussions/59", "short_name": "rfc-0012-vulnerability-management", "full_name": "FedRAMP RFC-0012: Continuous Vulnerability Management Standard" } ] } ], "front_matter": { "authority": [ { "reference": "OMB Circular A-130, Managing Information as a Strategic Resource", "reference_url": "https://whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf", "description": "OMB Circular A-130 defines continuous monitoring as \"maintaining ongoing awareness of information security, vulnerabilities, threats, and incidents to support agency risk management decisions.\"" }, { "reference": "44 USC § 3609 (a)(7)", "reference_url": "https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap36-sec3609", "description": "The FedRAMP Authorization Act (44 USC § 3609 (a)(7)) directs the Administrator of the General Services Administration to \"coordinate with the FedRAMP Board, the Director of the Cybersecurity and Infrastructure Security Agency, and other entities identified by the Administrator, with the concurrence of the Director and the Secretary, to establish and regularly update a framework for continuous monitoring...\"", "delegation": "This responsibility is delegated to the FedRAMP Director", "delegation_url": "https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp" } ], "purpose": "The FedRAMP Vulnerability Detection and Response Standard ensures FedRAMP Authorized cloud service offerings use automated systems to effectively and continuously identify, analyze, prioritize, mitigate, and remediate vulnerabilities and related exposures to threats; and that information related to these activities are effectively and continuously reported to federal agencies for the purposes of ongoing authorization.\n\nThe Vulnerability Detection and Response standard defines minimum security requirements that cloud service providers must meet to be FedRAMP Authorized while allowing them flexibility in how they implement and adopt the majority of FedRAMP's requirements and recommendations. This creates a marketplace where cloud service providers can compete based on their individual approach and prioritization of security and agencies can choose to adopt cloud services with less effective security programs for less sensitive use cases while prioritizing cloud services with high performing security programs when needed.\n\nOver time, FedRAMP will automatically review the machine-readable authorization data shared by participating cloud service providers to begin scoring cloud service offerings based on how effectively they meet or exceed the requirements and recommendations in this and other FedRAMP 20x standards.\n\nAll existing FedRAMP requirements, including control statements, standards, and other guidelines that reference vulnerability scanning or formal Plans of Action and Milestones (POA&Ms) are superseded by this standard and MAY be ignored by providers of cloud service offerings that have met the requirements to adopt this standard with approval by FedRAMP.", "expected_outcomes": [ "Cloud service providers following commercial security best practices will be able to meet and validate FedRAMP security requirements with simple changes and automated capabilities", "Federal agencies will be able to easily, quickly, and effectively review and consume security information about the service to make informed risk-based authorizations based on their use cases" ] } }, "FRR": { "VDR": { "base": { "id": "FRR-VDR", "application": "These requirements apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this standard.", "requirements": [ { "id": "FRR-VDR-01", "statement": "Providers MUST systematically, _persistently_, and _promptly_ discover and identify _vulnerabilities_ within their _cloud service offering_ using appropriate techniques such as assessment, scanning, threat intelligence, vulnerability disclosure mechanisms, bug bounties, supply chain monitoring, and other relevant capabilities; this process is called _vulnerability detection_.", "affects": ["Providers"], "primary_key_word": "MUST", "referenced_fr": [ "FRD-ALL-38", "FRD-ALL-37", "FRD-ALL-20", "FRD-ALL-06", "FRD-ALL-21" ] }, { "id": "FRR-VDR-02", "statement": "Providers MUST systematically, _persistently_, and _promptly_ track, evaluate, monitor, _mitigate_, _remediate_, assess exploitation of, report, and otherwise manage all detected vulnerabilities within their _cloud service offering_; this process is called _vulnerability response_.", "affects": ["Providers"], "primary_key_word": "MUST", "referenced_fr": [ "FRD-ALL-38", "FRD-ALL-37", "FRD-ALL-27", "FRD-ALL-28", "FRD-ALL-06", "FRD-ALL-22" ] }, { "id": "FRR-VDR-03", "statement": "Providers MUST follow the requirements and recommendations outlined in FRR-VDR-TF regarding timeframes for _vulnerability detection_ and _response_.", "note": "Providers are strongly encouraged to build programs that consistently exceed these thresholds. Performance will be measured by FedRAMP for comparison between providers and scoring within the FedRAMP Marketplace.", "affects": ["Providers"], "primary_key_word": "MUST", "referenced_fr": ["FRD-ALL-21", "FRD-ALL-22"] }, { "id": "FRR-VDR-04", "statement": "Providers MAY sample effectively identical _information resources_, especially machine-based _information resources_, when performing _vulnerability detection_ UNLESS doing so would decrease the efficiency or effectiveness of _vulnerability detection_.", "affects": ["Providers"], "primary_key_word": "MAY", "referenced_fr": ["FRD-ALL-02", "FRD-ALL-21"] }, { "id": "FRR-VDR-05", "statement": "Providers SHOULD evaluate _detected vulnerabilities_, considering the context of the _cloud service offering_, to identify logical groupings of affected _information resources_ that may improve the efficiency and effectiveness of _vulnerability response_ by consolidating further activity; requirements and recommendations in this standard are then applied to these consolidated groupings of _vulnerabilities_ instead of each individual detected instance.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": [ "FRD-ALL-21", "FRD-ALL-06", "FRD-ALL-02", "FRD-ALL-22", "FRD-ALL-20" ] }, { "id": "FRR-VDR-06", "statement": "Providers SHOULD evaluate _detected vulnerabilities_, considering the context of the _cloud service offering_, to determine if they are _false positive vulnerabilities_.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-ALL-"] }, { "id": "FRR-VDR-07", "statement": "Providers MUST evaluate _detected vulnerabilities_, considering the context of the _cloud service offering_, to determine if they are _likely exploitable vulnerabilities_.", "affects": ["Providers"], "primary_key_word": "MUST", "referenced_fr": ["FRD-ALL-"] }, { "id": "FRR-VDR-08", "statement": "Providers MUST evaluate _detected vulnerabilities_, considering the context of the _cloud service offering_, to determine if they are _internet-reachable vulnerabilities_.", "affects": ["Providers"], "primary_key_word": "MUST", "referenced_fr": ["FRD-ALL-"] }, { "id": "FRR-VDR-09", "statement": "Providers MUST evaluate _detected vulnerabilities_, considering the context of the _cloud service offering_, to estimate the _potential adverse impact_ of exploitation on government customers AND assign one of the following _potential adverse impact_ ratings:", "affects": ["Providers"], "primary_key_word": "MUST", "following_information_bullets": [ "**N1**: Exploitation could be expected to have _negligible adverse effects_ on one or more _agencies_ that use the _cloud service offering_.", "**N2**: Exploitation could be expected to have _limited adverse effects_ on one or more _agencies_ that use the _cloud service offering_.", "**N3**: Exploitation could be expected to have a _serious adverse effect_ on one _agency_ that uses the _cloud service offering_.", "**N4**: Exploitation could be expected to have a _catastrophic adverse effect_ on one _agency_ that uses the _cloud service offering_ OR a _serious adverse effect_ on more than one federal agency that uses the _cloud service offering_.", "**N5**: Exploitation could be expected to have a _catastrophic adverse effect_ on more than one _agency_ that uses the _cloud service offering_." ], "referenced_fr": ["FRD-ALL-"] }, { "id": "FRR-VDR-10", "statement": "Providers SHOULD consider at least the following factors when considering the context of the _cloud service offering_ to evaluate _detected vulnerabilities_:", "affects": ["Providers"], "primary_key_word": "SHOULD", "following_information": [ "**Criticality**: How important are the systems or information that might be impacted by the _vulnerability_?", "**Reachability**: How might a threat actor reach the _vulnerability_ and how _likely_ is that?", "**Exploitability**: How easy is it for a threat actor to exploit the _vulnerability_ and how _likely_ is that?", "**Detectability**: How easy is it for a threat actor to become aware of the _vulnerability_ and how _likely_ is that?", "**Prevalence**: How much of the _cloud service offering_ is affected by the _vulnerability_?", "**Privilege**: How much privileged authority or access is granted or can be gained from exploiting the _vulnerability_?", "**Proximate Vulnerabilities**: How does this _vulnerability_ interact with previously _detected vulnerabilities_, especially _partially_ or _fully mitigated vulnerabilities?_", "**Known Threats**: How might already known threats leverage the _vulnerability_ and how _likely_ is that?" ], "referenced_fr": ["FRD-ALL-"] }, { "id": "FRR-VDR-11", "statement": "Providers MUST document the reason and resulting implications for their customers when choosing not to meet FedRAMP recommendations in this standard; this documentation MUST be included in the _authorization data_ for the _cloud service offering_.", "affects": ["Providers"], "primary_key_word": "MUST", "referenced_fr": ["FRD-ALL-"] } ] }, "apply": { "application": "This section provides guidance on the application of this standard, including recommendations for implementing high quality _vulnerability detection_ and _response_ programs; providers who follow some or all of these will be better positioned to meet future FedRAMP authorization requirements.", "id": "FRR-VDR-AY", "requirements": [ { "id": "FRR-VDR-AY-01", "statement": "If it is not possible to _fully mitigate_ or _remediate_ _detected vulnerabilities_, providers SHOULD instead _partially mitigate vulnerabilities_ _promptly_, progressively, and *persistently*.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-AY-02", "statement": "Providers SHOULD make design and architecture decisions for their _cloud service offering_ that mitigate the risk of _vulnerabilities_ by default AND decrease the risk and complexity of _vulnerability_ _detection_ and _response_.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-AY-03", "statement": "Providers SHOULD use automated services to improve and streamline _vulnerability detection_ and _response_.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-AY-04", "statement": "Providers SHOULD automatically perform _vulnerability detection_ on representative samples of new or _significantly_ _changed_ _information resources_.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-AY-05", "statement": "Providers SHOULD NOT weaken the security of _information resources_ to facilitate vulnerability scanning or assessment activities.", "affects": ["Providers"], "primary_key_word": "SHOULD NOT", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-AY-06", "statement": "Providers SHOULD NOT deploy or otherwise activate new machine-based _information resources_ with _Known Exploited Vulnerabilities_.", "affects": ["Providers"], "primary_key_word": "SHOULD NOT", "referenced_fr": ["FRD-VDR-01"] } ] }, "reporting": { "application": "This section identifies FedRAMP-specific reporting requirements and recommendations for _vulnerabilities_.", "id": "FRR-VDR-RP", "referenced_fr": ["FRD-VDR-00", "FRD-VDR-00"], "requirements": [ { "id": "FRR-VDR-RP-01", "statement": "Providers MUST report _vulnerability detection_ and _response_ activity to all necessary parties _persistently_, summarizing ALL activity since the previous report; these reports are _authorization data_ and are subject to the FedRAMP Authorization Data Sharing (ADS) standard.", "affects": ["Providers"], "primary_key_word": "MUST", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-RP-02", "statement": "Providers SHOULD include high-level overviews of ALL _vulnerability detection_ and _response_ activities conducted during this period for the _cloud service offering;_ this includes vulnerability disclosure programs, bug bounty programs, penetration testing, assessments, etc.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-RP-03", "statement": "Providers MUST NOT irresponsibly disclose specific sensitive information about _vulnerabilities_ that would _likely_ lead to exploitation, but MUST disclose sufficient information for informed risk-based decision-making to all necessary parties.", "affects": ["Providers"], "primary_key_word": "MUST NOT", "note": "See FRR-VDR-EX for exceptions to this requirement.", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-RP-04", "statement": "Providers MAY responsibly disclose _vulnerabilities_ publicly or with other parties if the provider determines doing so will NOT _likely_ lead to exploitation.", "affects": ["Providers"], "primary_key_word": "MAY", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-RP-05", "statement": "Providers MUST include the following information (if applicable) on _detected vulnerabilities_ when reporting on _vulnerability detection_ and _response_ activity, UNLESS it is an _accepted vulnerability_:", "following_information": [ "Provider's internally assigned tracking identifier", "Time and source of the detection", "Time of completed evaluation", "Is it an *internet-reachable vulnerability* or not?", "Is it a *likely exploitable vulnerability* or not?", "Historically and currently estimated *potential adverse impact* of exploitation", "Time and level of each completed and evaluated reduction in *potential adverse impact*", "Estimated time and target level of next reduction in *potential adverse impact*", "Is it currently or is it likely to become an *overdue vulnerability* or not? If so, explain.", "Any supplementary information the provider responsibly determines will help federal agencies assess or mitigate the risk to their *federal information* within the *cloud service offering* resulting from the *vulnerability*", "Final disposition of the *vulnerability*" ], "affects": ["Providers"], "primary_key_word": "MUST", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-RP-06", "statement": "Providers MUST include the following information on _accepted vulnerabilities_ when reporting on _vulnerability detection_ and _response_ activity:", "following_information": [ "Provider's internally assigned tracking identifier", "Time and source of the detection", "Time of completed evaluation", "Is it an *internet-reachable vulnerability* or not?", "Is it a *likely exploitable vulnerability* or not?", "Currently estimated *potential adverse impact* of exploitation", "Explanation of why this is an *accepted vulnerability*", "Any supplementary information the provider determines will responsibly help federal agencies assess or mitigate the risk to their *federal information* within the *cloud service offering* resulting from the *accepted vulnerability*" ], "affects": ["Providers"], "primary_key_word": "MUST", "referenced_fr": ["FRD-VDR-01"] } ] }, "exceptions": { "application": "These exceptions MAY override some or all of the FedRAMP requirements and recommendations in this standard.", "id": "FRR-VDR-EX", "requirements": [ { "id": "FRR-VDR-EX-01", "statement": "Providers MAY be required to share additional _vulnerability_ information, alternative reports, or to report at an alternative frequency as a condition of a FedRAMP Corrective Action Plan or other agreements with federal agencies.", "affects": ["Providers"], "primary_key_word": "MAY", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-EX-02", "statement": "Providers MAY be required to provide additional information or details about _vulnerabilities_, including sensitive information that would _likely_ lead to exploitation, as part of review, response or investigation by necessary parties.", "affects": ["Providers"], "primary_key_word": "MAY", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-EX-03", "statement": "Providers MUST NOT use this standard to reject requests for additional information from necessary parties which also include law enforcement, Congress, and Inspectors General.", "affects": ["Providers"], "primary_key_word": "MUST NOT" } ] }, "timeframes": { "application": "This section provides guidance on timeframes that apply to all impact levels of FedRAMP authorization for activities required or recommended in this standard; these timeframes are thresholds that secure providers should consistently strive to exceed by significant margins.", "id": "FRR-VDR-TF", "referenced_fr": ["FRD-VDR-00", "FRD-VDR-00"], "requirements": [ { "id": "FRR-VDR-TF-01", "statement": "Providers MUST report _vulnerability detection_ and _response_ activity to all necessary parties in a consistent format that is human readable at least monthly.", "affects": ["Providers"], "primary_key_word": "MUST", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-TF-02", "statement": "Providers SHOULD _remediate Known Exploited Vulnerabilities_ according to the due dates in the CISA Known Exploited Vulnerabilities Catalog (even if the vulnerability has been _fully mitigated_) as required by CISA Binding Operational Directive (BOD) 22-01 or any successor guidance from CISA.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"], "reference": "CISA BOD 22-01", "reference_url": "https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities" }, { "id": "FRR-VDR-TF-03", "statement": "Providers MUST categorize any vulnerability that is not or will not be _fully mitigated_ or _remediated_ within 192 days of evaluation as an _accepted vulnerability_.", "affects": ["Providers"], "primary_key_word": "MUST", "referenced_fr": ["FRD-VDR-01"] } ] }, "timeframe-low": { "application": "This section provides guidance on timeframes that apply specifically to FedRAMP Low authorizations for activities required or recommended in this standard; these timeframes are thresholds that secure providers should consistently strive to exceed by significant margins.", "id": "FRR-VDR-TF-LO", "referenced_fr": ["FRD-VDR-00", "FRD-VDR-00"], "requirements": [ { "id": "FRR-VDR-TF-LO-01", "statement": "Providers SHOULD make all recent historical _vulnerability detection_ and _response_ activity available in a _machine-readable_ format for automated retrieval by all necessary parties (e.g. using an API service or similar); this information SHOULD be updated _persistently_, at least once every month.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-TF-LO-02", "statement": "Providers SHOULD _persistently_ perform _vulnerability detection_ on representative samples of similar machine-based _information resources_, at least once every week.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-TF-LO-03", "statement": "Providers SHOULD _persistently_ perform _vulnerability detection_ on all _information resources_ that are _likely_ to _drift_, at least once every month.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-TF-LO-04", "statement": "Providers SHOULD _persistently_ perform _vulnerability detection_ on all _information resources_ that are NOT _likely_ to _drift_, at least once every six months.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-TF-LO-05", "statement": "Providers SHOULD evaluate ALL _vulnerabilities_ as required by FRR-VDR-07, FRR-VDR-08, and FRR-VDR-09 within 7 days of _detection_.", "affects": ["Providers"], "primary_key_word": "MUST", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-TF-LO-06", "statement": "Providers SHOULD _partially mitigate, fully mitigate,_ or _remediate vulnerabilities_ to a lower _potential adverse impact_ within the timeframes from evaluation shown below (in days), factoring for the current _potential adverse impact_, _internet reachability,_ and _likely exploitability_:", "affects": ["Providers"], "primary_key_word": "SHOULD", "pain_timeframes": [ { "pain": 5, "max_days_irv_lev": 4, "max_days_nirv_lev": 8, "max_days_nlev": 32 }, { "pain": 4, "max_days_irv_lev": 8, "max_days_nirv_lev": 32, "max_days_nlev": 64 }, { "pain": 3, "max_days_irv_lev": 32, "max_days_nirv_lev": 64, "max_days_nlev": 192 }, { "pain": 2, "max_days_irv_lev": 96, "max_days_nirv_lev": 160, "max_days_nlev": 192 } ], "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-TF-LO-07", "statement": "Providers SHOULD _mitigate_ or _remediate_ remaining _vulnerabilities_ during routine operations as determined necessary by the provider.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"] } ] }, "timeframe-moderate": { "application": "This section provides guidance on timeframes that apply specifically to FedRAMP Moderate authorizations for activities required or recommended in this standard; these timeframes are thresholds that secure providers should consistently strive to exceed by significant margins.", "id": "FRR-VDR-TF-MO", "referenced_fr": ["FRD-VDR-00", "FRD-VDR-00"], "requirements": [ { "id": "FRR-VDR-TF-MO-01", "statement": "Providers SHOULD make all recent historical _vulnerability detection_ and _response_ activity available in a _machine-readable_ format for automated retrieval by all necessary parties (e.g. using an API service or similar); this information SHOULD be updated _persistently_, at least once every 14 days.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-TF-MO-02", "statement": "Providers SHOULD _persistently_ perform _vulnerability detection_ on representative samples of similar machine-based _information resources_, at least once every 3 days.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-TF-MO-03", "statement": "Providers SHOULD _persistently_ perform _vulnerability detection_ on all _information resources_ that are _likely_ to _drift_, at least once every 14 days.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-TF-MO-04", "statement": "Providers SHOULD _persistently_ perform _vulnerability detection_ on all _information resources_ that are NOT _likely_ to _drift_, at least once per month.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-TF-MO-05", "statement": "Providers SHOULD evaluate ALL _vulnerabilities_ as required by FRR-VDR-07, FRR-VDR-08, and FRR-VDR-09 within 5 days of _detection_.", "affects": ["Providers"], "primary_key_word": "MUST", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-TF-MO-06", "statement": "Providers SHOULD treat _internet-reachable likely exploitable vulnerabilities_ with a _potential adverse impact_ of N4 or N5 as a security incident until they are _partially mitigated_ to N3 or below.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-TF-MO-07", "statement": "Providers SHOULD _partially mitigate, fully mitigate,_ or _remediate vulnerabilities_ to a lower _potential adverse impact_ within the timeframes from evaluation shown below, factoring for the current _potential adverse impact_, _internet reachability,_ and _likely exploitability_:", "affects": ["Providers"], "primary_key_word": "SHOULD", "pain_timeframes": [ { "pain": 5, "max_days_irv_lev": 2, "max_days_nirv_lev": 4, "max_days_nlev": 16 }, { "pain": 4, "max_days_irv_lev": 4, "max_days_nirv_lev": 8, "max_days_nlev": 64 }, { "pain": 3, "max_days_irv_lev": 16, "max_days_nirv_lev": 32, "max_days_nlev": 128 }, { "pain": 2, "max_days_irv_lev": 48, "max_days_nirv_lev": 128, "max_days_nlev": 192 } ], "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-TF-MO-08", "statement": "Providers SHOULD *mitigate* or *remediate* remaining *vulnerabilities* during routine operations as determined necessary by the provider.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"] } ] }, "timeframe-high": { "application": "This section provides guidance on timeframes that apply specifically to FedRAMP High authorizations for activities required or recommended in this standard; these timeframes are thresholds that secure providers should consistently strive to exceed by significant margins.", "id": "FRR-VDR-TF-HI", "referenced_fr": ["FRD-VDR-00", "FRD-VDR-00"], "requirements": [ { "id": "FRR-VDR-TF-HI-01", "statement": "Providers SHOULD make all recent historical _vulnerability detection_ and _response_ activity available in a _machine-readable_ format for automated retrieval by all necessary parties (e.g. using an API service or similar); this information SHOULD be updated _persistently_, at least once every 7 days.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-TF-HI-02", "statement": "Providers SHOULD _persistently_ perform _vulnerability detection_ on representative samples of similar machine-based _information resources_, at least once per day.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-TF-HI-03", "statement": "Providers SHOULD _persistently_ perform _vulnerability detection_ on all _information resources_ that are _likely_ to _drift_, at least once every 7 days.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-TF-HI-04", "statement": "Providers SHOULD _persistently_ perform _vulnerability detection_ on all _information resources_ that are NOT _likely_ to _drift_, at least once every month.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-TF-HI-05", "statement": "Providers SHOULD evaluate ALL _vulnerabilities_ as required by FRR-VDR-07, FRR-VDR-08, and FRR-VDR-09 within 2 days of _detection_.", "affects": ["Providers"], "primary_key_word": "MUST", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-TF-HI-06", "statement": "Providers SHOULD treat _internet-reachable likely exploitable vulnerabilities_ with a _potential adverse impact_ of N4 or N5 as a security incident until they are _partially mitigated_ to N3 or below.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-TF-HI-07", "statement": "Providers SHOULD treat _likely exploitable vulnerabilities_ that are NOT _internet-reachable_ with a _potential adverse impact_ of N5 as a security incident until they are partially mitigated to N4 or below.", "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-TF-HI-08", "statement": "Providers SHOULD _partially mitigate_ _vulnerabilities_ to a lower _potential adverse impact_ within the maximum time-frames from evaluation shown below, factoring for the current _potential adverse impact_, _internet reachability,_ and _likely exploitability_:", "affects": ["Providers"], "primary_key_word": "SHOULD", "pain_timeframes": [ { "pain": 5, "max_days_irv_lev": ".5", "max_days_nirv_lev": 1, "max_days_nlev": 8 }, { "pain": 4, "max_days_irv_lev": 2, "max_days_nirv_lev": 8, "max_days_nlev": 32 }, { "pain": 3, "max_days_irv_lev": 8, "max_days_nirv_lev": 16, "max_days_nlev": 64 }, { "pain": 2, "max_days_irv_lev": 24, "max_days_nirv_lev": 96, "max_days_nlev": 192 } ], "referenced_fr": ["FRD-VDR-01"] }, { "id": "FRR-VDR-TF-HI-09", "statement": "Providers SHOULD *mitigate* or *remediate* remaining *vulnerabilities* during routine operations as determined necessary by the provider.", "affects": ["Providers"], "primary_key_word": "MUST", "referenced_fr": ["FRD-VDR-01"] } ] }, "agencies": { "application": "The section provides guidance for agencies that apply under 44 USC § 3613 (e) which states that the assessment and materials within a FedRAMP authorization package “shall be presumed adequate for use in an agency authorization to operate cloud computing products and services.”", "id": "FRR-VDR-AG", "referenced_fr": ["FRD-VDR-00", "FRD-VDR-00"], "requirements": [ { "id": "FRR-VDR-AG-01", "statement": "Agencies SHOULD review the information provided in vulnerability reports at appropriate and reasonable intervals commensurate with the expectations and risk posture indicated by their Authorization to Operate, and SHOULD use automated processing and filtering of machine readable information from cloud service providers.", "note": "FedRAMP recommends that agencies only review *overdue* and _accepted vulnerabilities_ with a _potential adverse impact_ of N3 or higher unless the cloud service provider recommends mitigations or the service is included in a higher risk federal information system. Furthermore, _accepted vulnerabilities_ generally only need to be reviewed when they are added or during an updated risk assessment due to changes in the agency’s use or authorization.", "affects": ["Agencies"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"], "is_interim": true }, { "id": "FRR-VDR-AG-02", "statement": "Agencies SHOULD use *vulnerability* information reported by the Provider to maintain Plans of Action & Milestones for agency security programs when relevant according to agency security policies (such as if the agency takes action to mitigate the risk of exploitation or authorized the continued use of a cloud service with *accepted vulnerabilities* that put agency information systems at risk).", "affects": ["Agencies"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-VDR-01"], "is_interim": true }, { "id": "FRR-VDR-AG-03", "statement": "Agencies SHOULD NOT request additional information from cloud service providers that is not required by this FedRAMP standard UNLESS the head of the agency or an authorized delegate makes a determination that there is a demonstrable need for such.", "note": "This is related to the Presumption of Adequacy directed by 44 USC § 3613 (e).", "affects": ["Agencies"], "primary_key_word": "SHOULD NOT", "referenced_fr": ["FRD-VDR-01"], "is_interim": true }, { "id": "FRR-VDR-AG-04", "statement": "Agencies MUST inform FedRAMP after requesting any additional *vulnerability* information or materials from a cloud service provider beyond those required by this policy by sending a notification to [info@fedramp.gov](mailto:info@fedramp.gov).", "note": "This is an OMB policy; agencies are required to notify FedRAMP in OMB Memorandum M-24-15 section IV (a).", "affects": ["Agencies"], "primary_key_word": "MUST", "is_interim": true } ] } } }, "FRA": { "VDR": { "id": "FRA-VDR", "disclaimer": "Every cloud service provider is different, every architecture is different, and every environment is different. Best practices and technical assistance MUST NOT be used as a checklist. All examples are for discussion purposes ONLY.", "purpose": "This Technical Assistance provides additional context behind the intent and goals of certain aspects of this standard that have caused significant confusion or requests for clarification during public comment. This assistance is initially designed for 20x Phase Two/Three and the Rev5 Closed Beta Balance Improvement Test.", "requirements": [ { "id": "FRA-VDR-01", "applies_to": "FRR-VDR-08", "statement": "FedRAMP focuses on internet-reachable (rather than internet-accessible) to ensure that any service that might receive a payload from the internet is prioritized if that service has a vulnerability that can be triggered by processing the data in the payload. The simplest way to prevent exploitation of internet-reachable vulnerabilities is to intercept, inspect, filter, sanitize, reject, or otherwise deflect triggering payloads before they are processed by the vulnerable resource; once this prevention is in place the vulnerability should no longer be considered an internet-reachable vulnerability.\n\nA classic example of an internet-reachable vulnerability on systems that are not typically internet-accessible is SQL injection (https://en.wikipedia.org/wiki/SQL_injection), where an application stack behind a load balancer and firewall with no ability to route traffic to or from the internet can receive a payload indirectly from the internet that triggers the manipulation or compromise of data in a database that can only be accessed by an authorized connection from the application server on a private network.\n\nAnother simple example is the infamous Log4Shell (https://en.wikipedia.org/wiki/Log4Shell) vulnerability from 2021, where exploitation was possible via vulnerable internet-reachable resources deep in the application stack that were often not internet-accessible themselves." }, { "id": "FRA-VDR-02", "applies_to": "FRR-VDR-07", "statement": "The simple reality is that most traditional vulnerabilities discovered by scanners or during assessment are not likely to be exploitable; exploitation typically requires an unrealistic set of circumstances that will not occur during normal operation. The likelihood of exploitation will vary depending on so many factors that FedRAMP will not recommend a specific framework for approaching this beyond the recommendations and requirements in this document.\n\nThe proof, ultimately, is in the pudding - providers who regularly evaluate vulnerabilities as not likely exploitable without careful consideration are more likely to suffer from an adverse impact where the root cause was an exploited vulnerability that was improperly evaluated. If done recklessly or deliberately, such actions will have a potential adverse impact on a provider's FedRAMP authorization." } ] } } }