Earthling Security’s perspective on timelines, priorities, and actionable steps for Cloud Service Providers (CSPs) and agencies.
The Next Chapter in FedRAMP Compliance
FedRAMP’s latest move, publishing the Vulnerability Detection & Response (VDR) standard, Release 25.09A, is one of the most significant shifts in federal cloud compliance in years.
Rather than focusing on static checklists or fixed scan frequencies, the VDR standard emphasizes risk-based outcomes, speed of remediation, and transparent reporting. For Cloud Service Providers (CSPs) and agencies, this means preparing for an environment where attackers exploit exposure in days, not months. Compliance requirements must keep pace.
At Earthling Security, we see this as a positive evolution. VDR pushes security programs toward automation, real-time discovery, and measurable outcomes that reflect actual risk, not just compliance paperwork.
What Is the FedRAMP VDR Standard?
The VDR standard introduces several key goals that reshape how CSPs approach vulnerability management:
- Automate & Persist Vulnerability Discovery – integrate multiple sources: scanners, threat intelligence, bug bounty programs, and supply chain signals.
- Prioritize by Risk – evaluate vulnerabilities based on exploitability, reachability, and blast radius, not just static CVSS scores.
- Focus on Outcomes – measure how quickly organizations reduce potential adverse impact, not just whether they’ve tracked findings.
- Transparent Reporting – requires results in both human-readable and machine-readable formats to support federal oversight and automation.
Expectations vary depending on impact level (Low, Moderate, High), especially around detection cadence and evaluation windows.
Who Is Affected by FedRAMP VDR and When?
Immediate Impact (FedRAMP 20x Pilots):
- Effective Sept 15, 2025.
- Progress is expected, though absolute compliance is not yet required.
Upcoming Impact (Rev 5 CSPs):
- Closed beta begins Oct 2025.
- Broader rollout scheduled across FY26 Q2–Q4.
Key Milestones to Watch:
- Oct 2025 → Closed beta.
- FY26 Q2 → Open beta.
- Late FY26 → Transition readiness and broader enforcement.
How VDR Changes Continuous Monitoring Practices
While some elements remain unchanged until VDR formally applies (e.g., POA&Ms and ConMon), several aspects of day-to-day operations must evolve now:
- Risk Paths: Differentiate between internet-reachable vs. internet-accessible vulnerabilities.
- Response Speed: Shift from multi-week remediation cycles to 3-day SLAs for internet-reachable issues and 7- or 21-day SLAs for others.
- Reporting: Prepare to produce both machine-readable outputs and human-readable summaries.
- Tooling & SLAs: Update detection tooling, workflows, and service levels to meet these new expectations.
Practical Steps CSPs Should Take Now by Maturity Level
Even incremental preparation now will reduce the risk of disruption later.
| Maturity Level | Suggested First Steps |
| Early Stage | Inventory internet-reachable surfaces, tag findings by risk, and adjust SLAs. |
| Mid Maturity | Add context (asset criticality, exploit intelligence), generate machine-readable feeds, pilot defensive patterns. |
| Advanced | Shift to event-driven detection, measure “time-to-impact reduction,” and prepare for full VDR transition. |
Internet-Reachable Vulnerabilities: A New Focal Point
The definition of internet-reachable is broader than many CSPs expect. It refers to any external path that allows a malicious payload to touch a vulnerable component, even if that system sits behind a proxy, load balancer, or WAF.
This forces CSPs to rethink ingress paths, sanitization, and proxy rules. At Earthling Security, we view this as a significant mindset shift: exposure is no longer defined by whether a port is open, but by whether a component can realistically be reached and exploited.
VDR vs. POA&M: What Changes and What Stays
For now, POA&Ms remain the authoritative method for tracking vulnerabilities until VDR formally applies. But that doesn’t mean CSPs should wait.
Best practice for CSPs integrating VDR with existing controls:
- Continue managing vulnerabilities under existing POA&M processes.
- Begin experimenting with VDR-style risk assessments and machine-readable reporting in parallel.
- Balance innovation with stability — prepare early, but don’t disrupt existing compliance obligations.
FedRAMP VDR Rollout: Near, Mid, and Long Term
- Now → Q4 2025: Begin mapping internet-reachable assets, refining internal workflows, and piloting reporting methods.
- FY26 Q2: Open beta begins. Organizations should decide whether to adopt early or wait.
- FY26 Q3–Q4: Expect broader adoption and potential full transition.
Preparing for the Future of FedRAMP Compliance
- Prioritize reachability analysis: Begin mapping internet-reachable assets today.
- Accelerate remediation cycles: Build operational readiness for 3-day, 7-day, and 21-day requirements.
- Invest in automation: Machine-readable reports, threat intel integration, and policy-as-code will be critical.
- Prepare leadership: Agencies will expect transparent reporting and evidence of real-world risk reduction.
These changes align with broader cloud maturity trends: continuous discovery, context-driven prioritization, and automated remediation.
Earthling’s View on the VDR Standard
The VDR standard is a pivotal step in FedRAMP’s evolution. By moving from static checklists to dynamic, risk-based outcomes, FedRAMP is signaling how the next decade of cloud compliance will look.
Earthling’s Recommendations
- Assess where your organization stands today.
- Create a roadmap for VDR adoption.
- Take incremental steps now so the eventual transition is evolutionary, not disruptive.
Next Steps
- Visit Earthling’s FedRAMP 20x hub.
- Explore FedRAMP as a Service.
- Schedule a Free FedRAMP Gap Analysis Workshop.
- Learn more about CodeOps™.