Authored by: PlexTrac Author Posted on: August 16, 2025 What FedRAMP’s New Vulnerability Management Standard Means for Pentesters and Vuln Managers Breaking Down the New RFC-0012 Standard Under FedRAMP and How It Can Change Your Daily Security Operations If you work in vulnerability management or penetration testing for cloud systems under FedRAMP, buckle up because the new RFC-0012: FedRAMP Continuous Vulnerability Management Standard is going to change how your work is scoped, tracked, and prioritized. The RFC-0012 introduces some big changes and is now open for public commentary. It takes a more aggressive, risk-informed approach to vulnerability management with the goal of catching potential exploits faster. With tighter timelines, broader vulnerability definitions, and more pressure to prove results, security teams will need to take action faster than ever before. Even if you don’t have to adhere to FedRAMP, you’ll want to keep up with these new standards as organizations outside of FedRAMP will definitely find valuable information that you can apply to your day-to-day security operations. Continuous Testing Will Be the New Norm You can say goodbye to your quarterly scans or annual pentests just to check a box. The RFC-0012 demands continuous testing with ongoing detection and assessments, particularly for digital assets. Now, you’ll need to: Gear up your vulnerability scanning frequency Shift toward always-on monitoring and real-time alerting Determine how often you’ll need to run pentests and internal assessments So if you’re a pentester, you’re in luck, and your value just went up. Expect to be pulled in more often, not just for uncovering blind spots, but continuously validating whether a vulnerability is realistically exploitable under the new FedRAMP rules. If you’re a vulnerability manager, you can expect to stay busy with continuous assessments being the new norm rather than the exception. Scanning and assessment frequencies are required every three to seven days for internet-facing assets and every month for all other assets. Remediation Timelines Are Getting Tighter—and Mitigation Matters More Under the new RFC-0012 standard, remediation is, of course, expected, but mitigation takes priority — meaning you need to reduce risk fast, even if a full fix takes longer. The mitigation windows will shrink dramatically for high-risk findings. As a vulnerability manager, you’ll need to: Review the new timelines and requirements for mitigations vs remediations Act fast by running and maintaining ongoing, real-time triage Leverage temporary mitigations such as creating new firewall rules or disabling services Collaborate effectively with system owners and SecOps teams Track and report on both short-term and long-term fixes more clearly FedRAMP defines the difference between mitigations vs remediations as stated below: “Mitigate: Temporarily reduce the risk that a vulnerability will be exploited or the potential adverse impact if it is exploited; mitigated vulnerabilities still appear in assessments until they are remediated.” “Remediate: Permanently remove a vulnerability; remediated vulnerabilities are not exploitable and no longer appear in scans or other analyses. Remediation is the neutralization or elimination of a vulnerability or the likelihood of its exploitation.” Please note: FedRAMP requires all detected vulnerabilities to be fully mitigated or remediated within six months of reporting. Real-World Exploitability > CVSS Common Vulnerability Scoring System (CVSS) may have been seen as the be-all, end-all for some organizations. But FedRAMP is shifting toward context-based risk assessments, which must include how a vulnerability could be exploited, who the target is, what’s exposed, and what business or mission impact might occur. CVSS will still be relevant, but context is required. As pentesters, you’ll need to provide rich and deeper context that: Validate vulnerabilities are exploitable while demonstrating potential impact Highlight potential lateral movement, chaining opportunities, and real attack paths Give organizations evidence and recommendations to prioritize remediation efforts And for vulnerability managers, you’ll need to go above and beyond the scan. Context is key here. As not all “critical” scores are truly critical, and not all medium scores are “safe” and can be ignored or held off on before being addressed. More Visibility Means More Pressure Good or bad, one of the side effects of continuous vulnerability is that leadership will be watching more closely. The new expectations for worst-case timelines, plan of action and milestones (POA&Ms) restrictions, and mitigation documentation require a careful eye. Security leadership will be keen on: Clear and actionable dashboards to show status by asset type, severity, and exposure Fewer POA&Ms, as they should only be used when there’s no other option More automated workflows and better cybersecurity reports If you don’t have the viability to show your key metrics and mitigation progress, now is the time to invest — it will be essential to your success. Automation Is No Longer Optional Unfortunately, manual processes won’t keep up with what the RFC-0012 draft is pushing. The demand for continuous discovery, fast triage, and real-time updates will require automation.Security teams will need: Vulnerability scanners with API-driven workflows Integrations between detection tools, ticketing systems, and reporting dashboards Automated validation wherever possible All that being said, manual work can’t be completely done away with. Pentesters should help define where manual pentesting is required, as automation can often overlook common logic flaws, chaining, and evasion tactics that humans can detect. On the opposing side, vulnerability managers should focus on automating the vulnerability lifecycle for repeatable tasks such as centralizing data, automating workflows, and finding efficient remediation at scale. Key Takeaways From the RFC-0012 Draft Remember, as of now, RFC-0012 is still in draft form, but it tells us where FedRAMP is heading. They’re aiming for more testing, faster fixes, less reporting fluff, and way more accountability. Pentesters, you may be on call more as your role becomes more operational, to meet organizations’ requirements for continuous assurance rather than one-time engagements. Vulnerability managers, you’ll soon switch from status tracking to active risk reduction to demonstrate proven outcomes. FedRAMP is leading the charge towards embracing Continuous Threat Exposure Management (CTEM). Which begs the question, “Are you continuous?”. If you’re not, now is the time. Be sure to read the draft, discuss it with your team, and plan out how you’re going to tackle these new expectations. If you’re not working within the FedRAMP space, we still recommend reading the RFD as it outlines important aspects related to CTEM that we predict will shape regulatory and compliance frameworks across different industries. How PlexTrac Can Help Meet These New Expectations The RFC-0012 standards are pretty clear. They require faster testing cycles, immediate mitigation, contextual risk visibility, and fewer delays in reporting and response. PlexTrac delivers exactly that. Whether you’re running red team ops or managing blue team vulnerabilities across the largest environments, PlexTrac provides a purple team platform that empowers you with: Centralized reporting for all findings from manual pentests to automated scans Contextual tagging and prioritization with organized findings Custom risk scoring, where you set the criteria within the context of your environment Live dashboards and metrics to show leadership current risks and what’s being done Remediation tracking workflows with links to every issue status, deadlines, and more POA&M alignment that generates artifacts to support FedRAMP documentation Integrations with top scanners and ticketing tools to close the loop faster If your team is preparing for what FedRAMP expects next, PlexTrac is here to help you move from reactive to ready. Request a demo today to see how you can quickly consolidate data, reduce risk, and prove continuous validation all in one place. PlexTrac Author At PlexTrac, we bring together insights from a diverse range of voices. Our blog features contributions from industry experts, ethical hackers, CTOs, influencers, and PlexTrac team members—all sharing valuable perspectives on cybersecurity, pentesting, and risk management.
How Do I Pentest My LLM? In the world of cybersecurity, AI is the perpetual topic du jour, and more specifically Generative AI. The use of LLMs for all kinds of use cases is the craze and the AI ecosystem continues to move at a rapid pace. When it comes to pentesting, the job of every tester is to keep up... READ ARTICLE
Beneath the Hat: My Black Hat 2025 Takeaways, Including the AI Imperative As I write this from the airport, the desert heat of Las Vegas is finally fading and I’m reflecting on the whirlwind that was Black Hat USA 2025. For me, this conference is always about two things: the people and the ideas. We hosted our annual Customer Appreciation Night and ran a Pentest Reporting Bootcamp,... READ ARTICLE
Welcome to the Dataverse: Deliver Automated Vulnerability Lifecycle Management Organizations today are living in a fragmented reality—trapped in outdated prioritization and remediation workflows. Prioritization and remediation orchestration often relies on spreadsheets and decentralized coordination. READ ARTICLE