FedRAMP’s New Vulnerability Detection and Response Standard
WOW! If you haven’t heard, FedRAMP released a new Vulnerability Detection and Response (VDR) standard on September 11, 2025. This new standard is poised to really change the way Cloud Service Providers (CSP) deliver continuous monitoring to their agencies.
Who does this Impact?
If you are currently FedRAMP authorized on Revision 5, there is no short-term impact unless you volunteer to be a part of the Rev5 VDR Open Beta that is tentatively scheduled for release on October 15,2026.
On the other hand, if you are FedRAMP 20x Low authorized, you should already be starting to apply this standard effective September 15, 2025. CSP’s in this space are required to demonstrate significant progress in implementing this quarterly with full adoption one year from authorization.
What are the changes?
This is a complex question. FedRAMP is looking to modernize the way CSP’s identify, assess, and remediate vulnerabilities. In doing so, FedRAMP is looking to evaluate the risk of vulnerabilities outside of the traditional CVSS v3 scoring. The risk evaluation is based on an assessment of the likelihood of exploitability (LEV). This allows the CSP to apply logic to determine Environmental Exploitability, Internet Exposure, Privilege Escalation, Criticality, Prevalence, Proximate Vulnerabilities, and Known Threats. Through this logic, a new risk rating system emerged where vulnerabilities are categorized from N1 (negligible) to N5 (Catastrophic).
With new risk categories, new remediation timelines are introduced based on the CSP FedRAMP authorization level (Low, Moderate, High). Below is a breakdown of the new remediation timelines where CSP’s should partially mitigate, fully mitigate, or remediate to a lower risk rating.
FedRAMP Low Authorized systems
Severity | Time to remediate Internet Reachable Vulnerabilities (IRV) | Time to remediate Non-Internet Reachable Vulnerabilities (NIRV) | Time to remediate vulnerabilities Not LEV |
N5 | 4 Days | 8 Days | 32 Days |
N4 | 8 Days | 32 Days | 64 Days |
N3 | 32 Days | 64 Days | 192 Days |
N2 | 96 Days | 160 Days | 192 Days |
FedRAMP Moderate Authorized systems
Severity | Time to remediate Internet Reachable Vulnerabilities (IRV) | Time to remediate Non-Internet Reachable Vulnerabilities (NIRV) | Time to remediate vulnerabilities Not LEV |
N5 | 2 Days | 4 Days | 16 Days |
N4 | 4 Days | 8 Days | 64 Days |
N3 | 16 Days | 32 Days | 128 Days |
N2 | 48 Days | 128 Days | 192 Days |
FedRAMP High Authorized systems
Severity | Time to remediate Internet Reachable Vulnerabilities (IRV) | Time to remediate Non-Internet Reachable Vulnerabilities (NIRV) | Time to remediate vulnerabilities Not LEV |
N5 | .5 Days | 1 Days | 8 Days |
N4 | 2 Days | 8 Days | 32 Days |
N3 | 8 Days | 16 Days | 64 Days |
N2 | 24 Days | 96 Days | 192 Days |
I know it’s a lot to digest. Keep in mind CSP’s are still required to adhere to CISA Binding Operational Directive 22-01 and remediate Known Exploited Vulnerabilities according to the timelines dictated CISA.
Overall, this is a big step in determining what a vulnerability’s real impact is to a system and breaks away from a “one size fits all” mentality. There will most assuredly be a learning curve involved in implementing this new standard as there are other changes in the standard. Stay tuned for more on the implementation.
InfusionPoints is on the leading-edge developing solutions and strategies to ensure complex customer systems can be positioned for success in this dynamic FedRAMP space.
Sources:
https://github.com/FedRAMP/docs/blob/main/markdown/FRMR.VDR.vulnerability-detection-and-response.md
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
