Question on VDR Rev5 timeline for CSPs #126
Replies: 1 comment 1 reply
-
|
The Optional Balance for Rev5 section of the Balance Improvement Releases page addresses this: "All requirements in optional Balance Improvement Releases only apply to providers that are adopting the Balance Improvement Release." To be extra double clear - as soon as the word "Optional" appears at the top of the applicability section there is not a single further word that applies unless someone is exercising the option. :)
Yes, this will be included in the Consolidated Rules for 2026 that will be released by the end of June, 2026. |
Beta Was this translation helpful? Give feedback.
-
|
Gotcha. Thanks for the quick response and clarification. We're trying to get a head start, but will keep an eye out for the consolidated rules |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi FedRAMP PMO team — quick clarification question on the Vulnerability Detection and Response (VDR) Rev 5 Open Beta timeline.
In the “Effective Date(s) & Overall Applicability for Rev5” section, VDR is described as optional (Open Beta) starting 2026-02-02, and it also says providers “MUST plan to address all requirements and recommendations… by the end of the Open Beta on May 22, 2026.”
Can you confirm whether May 22, 2026 is:
intended only for CSPs participating in the VDR Open Beta (i.e., those that signed up / are accepted into the beta), or
intended to be a deadline that applies to all FedRAMP Authorized CSPs, regardless of beta participation?
If it’s only for beta participants, will there be separate guidance/policy later that establishes expectations and timelines for broader adoption post-beta? We're road mapping our VDR Rev 5 implementation(s) but will need make some technical changes (likely via SCN 😀) , so we're trying to understand what the timeline looks like.
Thanks in advance!
Beta Was this translation helpful? Give feedback.
All reactions