Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
ComplianceFedRAMP Rev 5
United States · FedRAMP Baselines Rev 5

FedRAMP Rev 5 vulnerability scanning and supply chain controls

what cloud providers must do to keep a federal authorization

FedRAMP Baselines Rev 5 align the program to NIST SP 800-53 Rev 5. For any cloud service provider selling to a US federal agency, the day-to-day work lives in four control areas: RA-5 vulnerability scanning, the new SR (Supply Chain Risk Management) control family, CA-7 continuous monitoring, and SI-2 flaw remediation.

The headline obligation is RA-5: monthly authenticated scans of operating systems and infrastructure, web applications including APIs, and databases, with remediation service levels of 30 days for high, 90 days for moderate, and 180 days for low. Miss those windows and your continuous monitoring posture, and ultimately your authorization, is at risk. Official program guidance lives at fedramp.gov.

Talk to our advisory team Read it on fedramp.gov
At a glance
30 / 90 / 180Days to remediate high / moderate / low findings (RA-5)
MonthlyRequired cadence for authenticated vulnerability scans
18Control families in the High baseline after SR was added
3 layersOS/infrastructure, web app + API, and database scans
Federal Risk and Authorization Management Program (FedRAMP), Baselines Rev 5
Why it matters

An authorization is not a one-time event. Rev 5 makes that explicit.

FedRAMP Rev 5 rebased the program on NIST SP 800-53 Rev 5, completing the transition across 2023 and 2024 with ongoing RFC updates. The practical change is not just renumbered controls. It shifts weight toward continuous evidence: scans you can prove ran, findings you can prove you closed inside the clock, and a supply chain you can prove you understand.

The new SR (Supply Chain Risk Management) control family is the headline addition, raising the High baseline from 17 to 18 control families. It asks cloud providers to assess software trustworthiness, manage third-party dependencies, secure their SDLC, and control who can touch code and build systems (SR family). Combined with RA-5 scanning and SI-2 remediation, it closes the loop between knowing what you ship and fixing what is wrong with it.

The remediation service levels are unforgiving and specific: 30 days for high-severity findings, 90 for moderate, 180 for low (RA-5). Continuous monitoring under CA-7 means an agency is watching whether you actually hit them. Treat RA-5, SR, CA-7 and SI-2 as a single operating rhythm rather than four separate audits.

How O3 helps

Find it before attackers do. Catch it if they try. Fix it fast.

Across these requirements, O3 runs one continuous loop on your own software so issues surface, get caught, and get fixed before they become an incident.

1 · Find it first

Test like an AI-assisted attacker

An agentic pentest probes your app across 50+ vulnerability classes the way a real attacker chains them, so exploitable flaws surface in your build before someone outside finds them.

2 · Catch it live

Detect and block exploitation at runtime

A kernel-level eBPF agent watches process trees and syscalls, recognises an attack sequence as it unfolds, and restricts the offending process on the spot rather than taking down the host.

3 · Fix it fast

Auto-patch what is reachable

Reachability ranks what genuinely matters, then autofix opens a pull request with the change, so remediation starts inside tight fix windows instead of sitting in a queue.

Risk-based prioritisation

From alert flood to a short list

KEV + EPSS + reachability turn a raw scan into the few findings that actually need action now.

Raw findings in dependency tree~12,400
Vulnerable & version-matched~4,700
Reachable in your code~1,360
KEV / high-EPSS · act now~370

Illustrative funnel. Reachability removes the bulk of unexploitable noise before triage.

Remediation expectations

The clock by finding type

Indicative fix windows. Tightest where exposure and active exploitation meet.

High-severity findings30 days
Moderate-severity findings90 days
Low-severity findings180 days
RA-5

How to run FedRAMP-compliant vulnerability scans

RA-5 is the operational core of continuous monitoring. FedRAMP expects authenticated, credentialed scans across three surfaces every month, not unauthenticated network sweeps that miss host-level issues.

NIST SP 800-53 Rev 5 RA-5FedRAMP Rev 5 ConMon Vulnerability Scanning Playbook
Run authenticated scans monthly across all three layers: operating systems and infrastructure, web applications including their APIs, and databases (RA-5).
Use credentialed access so scanners see installed packages and configuration, not just open ports. Document any host that cannot be authenticated and why.
Scan the entire authorization boundary, including ephemeral and auto-scaled instances. Tie scan coverage back to your inventory so gaps are visible.
Feed every finding into a single tracked backlog with severity, discovery date, and SLA clock so remediation can be measured against the 30/90/180-day windows.
Where O3 helps

O3 runs SAST with source-to-sink taint analysis, SCA against OSV, and agentic DAST across 50+ vulnerability classes, covering the web-app and API layer of RA-5. Function-level reachability ranks whether a dependency flaw is actually exploitable so the backlog reflects real risk.

RA-5 SLAs

How to meet the 30 / 90 / 180-day remediation deadlines

FedRAMP fixes hard remediation windows by severity. The clock starts at discovery, so the difference between passing and failing ConMon is usually process discipline, not tooling.

NIST SP 800-53 Rev 5 RA-5FedRAMP Rev 5 Continuous Monitoring Strategy Guide
Remediate high-severity findings within 30 days, moderate within 90, and low within 180, measured from the scan date (RA-5).
Where a fix cannot land in time, file a deviation request (false positive, operational requirement, or risk adjustment) with evidence before the deadline rather than after.
Track an aging report each month so findings approaching their SLA are escalated automatically.
Prioritize within each severity band using exploit likelihood so the riskiest items in a crowded 30-day queue are fixed first.
Where O3 helps

O3 prioritizes findings with EPSS exploit-probability and CISA KEV data, then offers autofix and auto-PR to shorten the path from discovery to a merged fix inside the 30/90/180-day windows.

SR family

How to satisfy the new SR supply chain control family

Rev 5 added the SR (Supply Chain Risk Management) family, raising the High baseline to 18 families. It pushes cloud providers to prove they understand and control what goes into their software.

NIST SP 800-53 Rev 5 SR-3 to SR-11FedRAMP Baselines Rev 5
Maintain an inventory of every third-party and open-source component you ship, with versions and provenance, so you can answer what is in the product (SR-3, SR-4).
Verify component authenticity and watch for tampering or counterfeit packages before they enter the build (SR-11).
Document a secure SDLC: code reviews, branch protections, and access controls on source and build systems (SR-3, SR-5).
Establish acceptance criteria and monitoring for suppliers and dependencies so a compromised upstream package is caught quickly (SR-6, SR-8).
Where O3 helps

O3 generates a CycloneDX SBOM enriched with deps.dev and VEX, plus CBOM, QBOM, AIBOM and HBOM, giving the component inventory SR-3/SR-4 expect. Malicious-dependency detection flags typosquats, malicious postinstall scripts and compromised maintainers, and O3 reads SLSA and cosign provenance to support authenticity checks (SR-11).

CA-7

How to operate continuous monitoring under CA-7

CA-7 is the wrapper that makes RA-5 and SI-2 ongoing obligations. Agencies expect a predictable monthly ConMon package and the ability to detect drift between assessments.

NIST SP 800-53 Rev 5 CA-7FedRAMP Rev 5 Continuous Monitoring Strategy Guide
Define monitoring metrics and a reporting frequency, then deliver a consistent monthly ConMon deliverable (POA&M, scan results, inventory changes) per CA-7.
Detect configuration and inventory drift between authorized state and running state, and feed changes back into the assessment.
Keep the POA&M current so every open finding maps to a remediation plan and an SLA date.
Maintain runtime visibility so new exposures are caught between monthly scans, not only at scan time.
Where O3 helps

O3's eBPF runtime agent builds kernel-level process trees and detects attack chains continuously, and its L7 deep packet inspection baselines egress and flags exfiltration and DNS tunneling, adding between-scan signal that supports CA-7 monitoring.

SI-2

How to run flaw remediation under SI-2

SI-2 is the control behind your patching discipline. It connects identified flaws to installed fixes and ties directly into the RA-5 remediation timelines.

NIST SP 800-53 Rev 5 SI-2FedRAMP Baselines Rev 5
Identify, report, and correct system flaws, and install security-relevant updates within the time periods your SSP commits to (SI-2).
Test patches before deployment where feasible, and track which assets received which fix so closure can be evidenced.
Automate update deployment where possible to keep pace with the 30/90/180-day RA-5 windows (SI-2(2)).
Centralize flaw status so SI-2 remediation evidence and RA-5 scan closure tell the same story.
Where O3 helps

O3 autofix and auto-PR generate remediation changes directly, helping close flaws within SI-2 timeframes, and reachability plus EPSS/KEV ensure effort goes to flaws that are genuinely exploitable.

Governance

How to manage POA&Ms and deviation requests

Findings that cannot be closed in time do not have to break your authorization, but they must be governed transparently. The POA&M and the deviation request are the mechanisms FedRAMP gives you.

FedRAMP Rev 5 Continuous Monitoring Strategy GuideFedRAMP POA&M Template Completion Guide
Record every open finding on the Plan of Action and Milestones with severity, source scan, planned completion date, and SLA.
Submit deviation requests (false positive, operational requirement, or risk adjustment) with supporting evidence before the SLA expires, not after a breach.
Review aging POA&M items monthly and escalate anything trending past its window.
Keep a defensible audit trail linking scan output, ticket, fix, and verification rescan for each closed item.
The whole framework

Every control that matters mapped to what you actually do

All 22 requirement areas, each with the reference and a vendor-neutral note on how teams meet it.

6RA-5
Vulnerability scanning and SLAs
9SI / SR integrity
Flaw remediation, integrity and supply chain
4CA / CM
Continuous monitoring and change control
3ConMon ops
Inventory, prioritization and deviations
Requirement area
RA-5 Vulnerability scanning800-53 RA-5Monthly authenticated scans, three layers
RA-5 OS / infrastructure scans800-53 RA-5Credentialed host and infra scanning
RA-5 Web application + API scans800-53 RA-5DAST across apps and exposed APIs
RA-5 Database scans800-53 RA-5Authenticated database configuration scanning
Remediation SLAs (high/mod/low)800-53 RA-5Close within 30 / 90 / 180 days
SI-2 Flaw remediation800-53 SI-2Identify, test, and install fixes
SI-2(2) Automated flaw remediation800-53 SI-2(2)Automate patch and update deployment
SI-7 Software / firmware integrity800-53 SI-7Detect unauthorized code changes
SI-4 System monitoring800-53 SI-4Runtime detection of malicious activity
CA-7 Continuous monitoring800-53 CA-7Monthly ConMon metrics and reporting
CA-5 Plan of Action & Milestones800-53 CA-5Track open findings and remediation dates
SR-3 Supply chain controls & processes800-53 SR-3Secure SDLC, reviews, access control
SR-4 Provenance800-53 SR-4Track component origin and lineage
SR-5 Acquisition strategies800-53 SR-5Vet suppliers and dependency sources
SR-6 Supplier assessments & reviews800-53 SR-6Assess third-party risk on cadence
SR-11 Component authenticity800-53 SR-11Detect counterfeit and tampered packages
SA-11 Developer security testing800-53 SA-11SAST, SCA and DAST in the SDLC
SA-15 Development process & tools800-53 SA-15Defined secure build and review process
CM-3 / CM-6 Configuration management800-53 CM-3Authorize and baseline all changes
Software / component inventory (SBOM)800-53 SR-3 / SR-4Maintain CycloneDX component inventory
Vulnerability prioritizationFedRAMP ConMonRank by exploitability and KEV
Deviation requestsFedRAMP ConMonFile FP / OR / RA before SLA expiry

Turn RA-5 and SR into a measurable rhythm

FedRAMP Rev 5 rewards providers who can prove the loop runs every month: scan, prioritize, fix, and evidence. O3 covers the application and supply-chain side of that loop with SAST, SCA, reachability, agentic DAST, a CycloneDX SBOM, malicious-dependency detection, and EPSS/KEV-driven autofix, plus eBPF runtime signal between scans. See where it fits your continuous monitoring package.

Read it on fedramp.gov
FAQ

Common
questions.

Everything teams ask before rolling this out. Still stuck? Reach our team.

  • Under RA-5, cloud service providers must remediate high-severity findings within 30 days, moderate within 90 days, and low within 180 days. The clock starts at the scan discovery date. Findings that cannot be closed in time must be tracked on the POA&M or addressed through a documented deviation request before the deadline.
  • FedRAMP requires monthly authenticated, credentialed vulnerability scans as part of continuous monitoring. Scans must cover three layers: operating systems and infrastructure, web applications including their APIs, and databases. Coverage must span the full authorization boundary, including auto-scaled and ephemeral instances.
  • SR is the Supply Chain Risk Management control family added in Rev 5, which raised the High baseline from 17 to 18 control families. It requires providers to assess software trustworthiness, manage third-party dependencies, verify component provenance and authenticity (SR-4, SR-11), and secure their SDLC with code reviews and access controls.
  • CA-7 requires an ongoing monitoring program with defined metrics and reporting frequency, delivered as a monthly ConMon package: updated scan results, an inventory of changes, and a current POA&M. It is the control that turns RA-5 scanning and SI-2 remediation from point-in-time checks into continuous obligations agencies review.
  • RA-5 finds the flaws through scanning; SI-2 governs fixing them. SI-2 covers identifying, reporting, testing, and installing security-relevant updates within committed timeframes. In practice the two share one backlog: an RA-5 finding becomes an SI-2 remediation action tracked against the 30/90/180-day windows.
  • FedRAMP does not name a standalone SBOM mandate, but the SR family (SR-3, SR-4) effectively requires a maintained inventory of third-party and open-source components with provenance, and RA-5 needs that inventory to scope scanning. A CycloneDX SBOM is the practical way to satisfy both and to demonstrate component authenticity under SR-11.
  • FedRAMP Rev 5 defines Low, Moderate, and High baselines aligned to NIST SP 800-53 Rev 5, plus a LI-SaaS tailored baseline. The High baseline includes 18 control families after SR was added. The baseline you select determines which controls, including which RA-5 and SR enhancements, apply to your system.
  • Overdue findings damage your continuous monitoring posture under CA-7 and can put the authorization at risk if they accumulate or go ungoverned. The expected path is to track the item on the POA&M and, where a timely fix is not feasible, submit a deviation request (false positive, operational requirement, or risk adjustment) with evidence before the SLA expires.

See O3 Security in Action

See why security and engineering leaders trust O3
to secure their entire software supply chain.