FedRAMP Rev5 ยท Vulnerability Detection & Response

A Deterministic, CVSS-Environmental Method for FedRAMP Rev5 VDR/VER Vulnerability Prioritization

FedRAMP defines Potential Agency Impact (PAIN, N1โ€“N5) and a remediation-timeframe matrix but leaves the classifier unspecified. That classifier already exists, in standardized form, as the Environmental metric group of CVSS. This work makes the mapping explicit, deterministic, and auditable.

Matthew Venne, Chief Technology Officer, stackArmor

๐Ÿ’ฌ Join the discussion

All comments should be directed to our GitHub Discussion.

Start here โ€” the core document

Companion methods

Further proposals

VLEV โ€” Exploitability Gradation

A Finer Exploitability Gradation (VLEV) for FedRAMP Rev5 VDR/VER โ€” splits exploitability into three bands (NLEV / LEV / VLEV) aligned to CISA Vulnrichment, with the full six-column remediation grid per Certification Class.

VEX (CycloneDX) โ€” Disposition

A CycloneDX VEX Profile for FedRAMP Rev5 VDR/VER Disposition and Response โ€” the machine-readable carrier for the post-detection disposition step (false positive, not reachable, mitigated, or accepted with an attested response), with a VER field mapping, an OCI distribution pattern, and an optional CISA-label crosswalk.

Build from source

These are informational documents. PDFs are rendered from the LaTeX sources:

brew install tectonic        # one-time
tectonic vdr-pain-cvss.tex         # -> vdr-pain-cvss.pdf
tectonic vlev-proposal.tex         # -> vlev-proposal.pdf
tectonic vex-cyclonedx.tex         # -> vex-cyclonedx.pdf
tectonic internet-reachability.tex # -> internet-reachability.pdf
tectonic internet-reachability-companion-blog.tex # -> plain-language PDF