The FedRAMP Vulnerability Detection and Response Standard, herein referred to as VDR contains requirements and recommendation for vulnerability management and reporting. This article explains how to access VDR data in Paramify as a federal agency, 3PAO, or another interested party who has been granted access to the Issues section of a Paramify package.
Monthly Activity Report
VDR-TFR-MHR states "Providers MUST report vulnerability detection and response activity to all necessary parties in a consistent format that is human readable at least monthly."
Paramify's Monitoring > Issues feature, accessible at: https://app.paramify.com/monitoring/issues provides a human readable format that is accessible continuously and should be updated by each cloud service provider at least monthly.
Mark Accepted Vulnerabilities
VDR-TFR-MAV states "Providers MUST categorize any vulnerability that is not or will not be fully mitigated or remediated within 192 days of evaluation as an accepted vulnerability."
Accepted Issues can be seen in by filtering on Excuse Status > Accepted.
Historical Activity
VDR-TFR-MRH states "Providers SHOULD make all recent historical vulnerability detection and response activity available in a machine-readable format for automated retrieval by all necessary parties (e.g. using an API service or similar); this information SHOULD be updated persistently, at least once every 14 days."
Paramify's API provides a method for automated retrieval of machine-readable VDR data. See https://app.paramify.com/api/documentation/ for API documentation, especially the /issues endpoints.
A visual API browser tool that provides a human-friendly view of the available API endpoints and the response data format (JSONs) is available publicly: https://github.com/paramify/paramify-api-browser

Lastly, Issues can be exported in an OSCAL machine-readable format by clicking the three dot menu button and then selecting Download OSCAL. Issues can also be exported as a CSV file with filters applied by selecting Download Filtered Issues (CSV).
Persistent Reporting
VDR-RPT-PER states "Providers MUST report vulnerability detection and response activity to all necessary parties persistently, summarizing ALL activity since the previous report; these reports are authorization data and are subject to the FedRAMP Authorization Data Sharing (ADS) process."
A summary of all activity since the previous period can be created by filtering by Timeframe within the Issues table.
Additionally, Paramify Trend Analysis dashboards show Issues trends over time
https://app.paramify.com/monitoring/trend-analysis
Vulnerability Details
VDR-RPT-VDT states "Providers MUST include the following information (if applicable) on detected vulnerabilities when reporting on vulnerability detection and response activity, UNLESS it is an accepted vulnerability:"
| FedRAMP VDR Requirement | Legacy FedRAMP Rev5 POA&M Name |
Paramify Issues Field Name |
|---|---|---|
| 1. Provider's internally assigned tracking identifier | POA&M ID | Paramify Issue ID |
| 2. Time and source of the detection | Original Detection Date (Column K) | Effective Date |
| 3. Time of completed evaluation | N/A | Evaluation Date |
| 4. Is it an internet-reachable vulnerability or not? | N/A | Internet-Reachable Vulnerability |
| 5. Is it a likely exploitable vulnerability or not? | N/A | Likely Exploitable Vulnerability |
| 6. Historically and currently estimated potential adverse impact of exploitation | Original Risk Rating (Column S) | Original Risk Level / Risk Level |
| 7. Time and level of each completed and evaluated reduction in potential adverse impact | Status Date (Column O), Planned Milestones (Column M) | Status Date, Excuses > Risk Adjustments |
| 8. Estimated time and target level of next reduction in potential adverse impact | Planned Milestones (Column M) | Due Date, Risk Level |
| 9. Is it currently or is it likely to become an overdue vulnerability or not? If so, explain. | Due Soon, Overdue, Remediation Activities | |
| 10. Any supplementary information the provider responsibly determines will help federal agencies assess or mitigate the risk to their federal customer data within the cloud service offering resulting from the vulnerability | Overall Remediation Plan (Column J), Resources Required (Column I) |
Remediation > Recommendations & Summary |
| 11. Final disposition of the vulnerability | Risk Level |
Review Vulnerability Reports
VDR-AGM-RVR states "Agencies SHOULD review the information provided in vulnerability reports at appropriate and reasonable intervals commensurate with the expectations and risk posture indicated by their Authorization to Operate, and SHOULD use automated processing and filtering of machine readable information from cloud service providers.
Note: FedRAMP recommends that agencies only review overdue and accepted vulnerabilities with a potential adverse impact of N3 or higher unless the cloud service provider recommends mitigations or the service is included in a higher risk federal information system. Furthermore, accepted vulnerabilities generally only need to be reviewed when they are added or during an updated risk assessment due to changes in the agency’s use or authorization."
An agency can view overdue vulnerabilities with a potential adverse impact of N3 or higher by filtering on Risk Level (selecting moderate, high, and critical) and Timeframe > Past Due. Accepted vulnerabilities with a potential adverse impact of N3 or higher can be seen by filtering on Risk Level (selecting moderate, high, and critical) and Excuse Status > Accepted.
All filtered views can be exported as a CSV file by clicking the three dot menu button and selecting Download Filtered Issues (CSV). Issues can also be exported in an OSCAL machine-readable format by selecting Download OSCAL.
If you have any questions about how to access VDR related data in Paramify or how to navigate the Paramify Monitoring & Issues features please contact Paramify Support: https://support.paramify.com/hc/en-us/requests/new
Reference - FedRAMP Vulnerability Detection and Response Standard
Comments
0 comments
Please sign in to leave a comment.