FedRAMP Proposes RFC‑0012: A Shift Toward Continuous and Context‑Driven Vulnerability Management
FedRAMP has published RFC‑0012, the Continuous Vulnerability Management Standard, opening it for public comment through August 21, 2025. The draft calls for a more context‑driven, risk‑based approach to vulnerability management—expanding the definition of vulnerabilities to include misconfigurations and credential issues, prioritizing based on exploitability and reachability rather than CVSS alone, encouraging automated workflows and API‑driven reporting, and specifying response timelines. The goal is to streamline cloud service providers’ (CSPs) practices, reduce bespoke government reporting, and require POA&Ms only when remediation deadlines cannot be met.
Comments
Post a Comment