FedRamp Logo
Posted on by loricrooks

How does the new FedRAMP Vulnerability Detection and Response Standard, dated 9/10/2025, affect you?

TLDR Version:

FedRAMP is redefining the minimum-security requirements for Vulnerability Detection and Response in order for CSPs to attain FedRAMP Authorized status. With previous requirements, CSPs were limited in flexibility for implementation and adoption for the majority of FedRAMP’s requirements, with costly implications. With the new standard, CSPs can compete based on their own prioritization of security with the flexibility to implement vulnerability detection and response as they choose, based solely on commercial security best practices for example.  Agencies can choose to adopt services for less sensitive use cases based on the individual approach of the CSPs being evaluated or choose a CSP with higher standards for highly sensitive use cases.

This approach aims to expedite the ability for federal agencies to be able to review the security information about a CSP’s services and make better-informed risk assessments based on their individual use cases. The intention is for CSPs to be able to meet FedRAMP requirements by leveraging automated capabilities and with slight changes to existing techniques.

Adherence requirements to these new standards differs between FedRAMP 20x and FedRAMP Rev5:

For FedRAMP 20x (Low baseline) CSPs:

  • Goes into effect on 9/15/2025
  • Phase One participants have one year from authorization to implement, but progress must be tracked (for instance, in your POA&M) to demonstrate quarterly progress.
  • Phase Two participants must show significant progress towards implementation prior to authorization.

For FedRAMP rev5 CSPs:

  • Goes into effect on 10/8/2025
  • Participants MUST be enrolled in the Rev5 VDR Closed Beta (Rev5 VDR Open Beta is planned for FY26 Q2)
FedRamp Checklist

Prior Vulnerability Scanning Requirements (Pre-VDR)

Prior to this new standard, CSPs were required to perform the following activities for ConMon, vulnerability scanning and Plan of Action and Milestones (POA&M) reporting:

  • Monthly Scans: Cloud Service Providers (CSPs) were required to perform and submit vulnerability scans monthly.
  • Component Discovery: Scans had to identify all components within the authorization boundary, including IP addresses, ports, protocols, and services.
  • Network Infrastructure Scanning: Elevated privilege scans were expected on network infrastructure, including management interfaces.
  • FedRAMP Inventory Mapping: Scan results needed to align with the FedRAMP Integrated Inventory Workbook and System Security Plan (SSP).
  • POA&M Updates: Vulnerabilities discovered were tracked and remediated through POA&M entries, which were reviewed by agencies and the Joint Authorization Board (JAB).
  • Manual Evaluation: CSPs manually assessed vulnerabilities for severity and exploitability.
  • Agency Review: Agencies used scan reports and POA&Ms to monitor risk posture.
  • No Formal Timeframes: There were general expectations for timely remediation, but no standardized timeframes across impact levels.
FedRamp Computer Vulnerability for your company. Computer, Gear and Warning Label, Green

What Changes with the New VDR Standard

  • CSPs now perform automated, continuous detection and response
  • Specific timeframes for detection, evaluation, and remediation are defined
  • Added contextual impact ratings (N1–N5)
  • CSPs are encouraged use of threat intelligence, bug bounties, and supply chain monitoring
  • A shift from static monthly scans to dynamic vulnerability management

Technical Deep-Dive:

The new standard contains security requirements, guidance, reporting requirements and recommendations, timeframe guidance and exceptions, as well as guidance for agency assessments.  FedRAMP also provides specific technical assistance to provide additional context around the aspects of the new standard that have caused significant confusion during public comment.

FedRamp Computer Vulnerability for your company. Computer, Gear and Warning Label

Standard Requirements

The following requirements pertain to all FedRAMP authorized services for all baselines.

  • Vulnerability Detection & Response:
    • Providers must continuously and promptly detect vulnerabilities using methods like scanning, threat intelligence, bug bounties, and supply chain monitoring.
    • Providers must actively manage detected vulnerabilities—track, evaluate, mitigate, remediate, monitor exploitation, and report.
    • Providers must follow FedRAMP-defined timeframes for detection and response and are encouraged to exceed them for better performance scoring.
  • Detection Efficiency & Evaluation
    • Sampling of identical machine-based resources is allowed unless it compromises detection quality.
    • Providers should group similar vulnerabilities to streamline response activities.
    • Providers should assess whether detected vulnerabilities are false positives.
    • Providers must determine if vulnerabilities are likely exploitable.
    • Providers must assess whether vulnerabilities are reachable by the internet.
  • Impact Assessment
    • Providers must estimate the potential adverse impact of exploitation and assign a rating from N1 (Negligible) to N5 (Catastrophic across multiple agencies).
    • Evaluation should consider factors like system criticality, reachability, exploitability, detectability, prevalence, privilege level, interaction with other vulnerabilities, and known threats.
  • Documentation
    • Providers must document and justify any decisions not to follow FedRAMP recommendations, including implications for customers, and include this in their authorization data.

Standard Application Guidance

FedRAMP-specific Reporting Requirements

Exceptions to the Standard Timeframe Guidance

Specific timeframes by impact level:

For FedRAMP HIGH:

For FedRAMP Moderate:

For FedRAMP Low:

Agency Guidance Technical assistance

  • Categories

  • Recent Post