Start here โ the core document
The Method
A Deterministic, CVSS-Environmental Method for FedRAMP Rev5 VDR/VER Vulnerability Prioritization โ closed-form PAIN derivation, the VDR-TFR-PVR remediation matrix, worked examples, a reference architecture, and an example asset-archetype catalog. The two companions below build on it.
Prefer a lighter read? Companion Blog
Companion methods
Internet Reachability at Scale
Internet Reachability at Scale under the FedRAMP VDR/VER Rules โ recommends a current profile based on direct exposure, reusable CVE-level indirect-trigger promotion, and standing prevention assertions backed by existing assessment, DAST, and remediation evidence. This produces a conditional convergence toward direct accessibility plus known uncovered indirect triggers. Its separate content/transform equation is a non-normative interoperability reference, not a proposed current FedRAMP requirement.
Prefer a lighter read? Companion Blog
Further proposals
VLEV โ Exploitability Gradation
A Finer Exploitability Gradation (VLEV) for FedRAMP Rev5 VDR/VER โ splits exploitability into three bands (NLEV / LEV / VLEV) aligned to CISA Vulnrichment, with the full six-column remediation grid per Certification Class.
VEX (CycloneDX) โ Disposition
A CycloneDX VEX Profile for FedRAMP Rev5 VDR/VER Disposition and Response โ the machine-readable carrier for the post-detection disposition step (false positive, not reachable, mitigated, or accepted with an attested response), with a VER field mapping, an OCI distribution pattern, and an optional CISA-label crosswalk.
Build from source
These are informational documents. PDFs are rendered from the LaTeX sources:
brew install tectonic # one-time tectonic vdr-pain-cvss.tex # -> vdr-pain-cvss.pdf tectonic vlev-proposal.tex # -> vlev-proposal.pdf tectonic vex-cyclonedx.tex # -> vex-cyclonedx.pdf tectonic internet-reachability.tex # -> internet-reachability.pdf tectonic internet-reachability-companion-blog.tex # -> plain-language PDF