A cybersecurity team analyzes threat data on a large screen with the text Exploitability is the New CVSS.

Exploitability is the New CVSS

By Jonathan Riddle | Published: August 02, 2025

1. Introduction: "This is an Incident"

During a recent FedRAMP special event on vulnerability management, Director Pete Waterman shared an anecdote that perfectly captures the new reality of federal cybersecurity. When discussing the prioritization of internet-reachable vulnerabilities with a CISO from a major tech company, her response was immediate and clear: "This is an incident. That's not something we can fix in 30 days. That's an incident. We need to fix that right now."

That sentiment—treating active threats not as compliance findings but as active security incidents—is the driving force behind FedRAMP's Request for Comment (RFC) 0012. This proposed "Continuous Vulnerability Management Standard" is not an incremental update; it signals a major proposal from the FedRAMP PMO to codify a new, aggressive, and threat-informed security posture, testing its viability as a cornerstone of the FedRAMP 20X mission and a change to the FedRAMP Revision 5 continuous monitoring requirements. For the federal government as a whole, the demanding nature of RFC-0012 introduces another significant obstacle to the widespread agency adaptation of 20X. This article will deconstruct the RFC's demanding new standard and, using exclusive insights from the recent FedRAMP special event, explore how some industry leaders are already meeting this challenge.

2. The New Mandate: Deconstructing RFC-0012's "Operational Pressure Cooker"

RFC-0012 establishes a new doctrine for federal cloud security rooted in speed, context, and a continuous, aggressive posture against real-world threats. It creates an "operational pressure cooker" designed to eliminate the lengthy remediation cycles that have long characterized traditional vulnerability management. This pressure is built on three core requirements:

  • Aggressive Timelines: The RFC introduces stark, non-negotiable deadlines for remediation. Critical vulnerabilities must be fixed within 3 days, Highs within 7, and Moderates within 21. These timelines are intensified by demanding scanning cadences, requiring internet-reachable resources to be scanned at least every 3 days. The operational implication is profound: a critical vulnerability discovered on a Monday must be fully remediated by Thursday, a velocity that is impossible to achieve with manual processes.
  • Exploitability is King: This is the most critical paradigm shift. The RFC formally demotes the static Common Vulnerability Scoring System (CVSS) score as the primary driver of prioritization. Instead, a vulnerability's priority must be escalated based on real-world threat intelligence. The two primary triggers are a vulnerability's inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog or the public availability of exploit code. This means a vulnerability originally scored as a CVSS Moderate could suddenly demand a 3-day remediation window, fundamentally altering the risk calculus from a theoretical assessment of severity to a practical assessment of threat.
  • Context is Mandatory: The standard moves beyond simply identifying a CVE. It demands a "credible exploitability analysis" that considers a vulnerability's reachability, its applicability within the system, and its potential adverse impact on the mission. Furthermore, the RFC strategically expands the definition of "vulnerability" to include "all weaknesses," such as misconfigurations, weak credentials, and insecure services. This officially breaks down the silos between traditional vulnerability management (patching CVEs) and configuration management (fixing misconfigurations), forcing a unified view of risk.

3. The Industry's Answer: From Vulnerability Management to Exposure Management

The principles codified in RFC-0012 are a direct reflection of a critical, industry-wide evolution in cybersecurity strategy. As one industry leader from a major SaaS provider articulated during the FedRAMP special event, "We have exposure management, and then we have vulnerability management. So exposure management is those vulnerabilities that are exploitable, have a known exploit, and are on business-critical assets, and then vulnerability management is just really patch management at the end of the day." This distinction is key. The industry is moving away from a reactive, compliance-driven "patching" mentality toward a proactive, risk-based posture known as Continuous Threat Exposure Management (CTEM). Championed by industry analysts like Gartner, CTEM is a programmatic approach that focuses on answering a more strategic question: "What are the most likely ways we will be attacked, and how do we fix those paths first?" By issuing RFC-0012, the FedRAMP PMO is effectively requiring its Cloud Service Providers (CSPs) to adopt and operationalize this more sophisticated, exposure-focused model.

4. The Modern Toolkit: How Industry Leaders are Meeting the Mandate

Meeting the demands of RFC-0012 is impossible at scale with manual processes alone. The recent FedRAMP special event provided a clear window into the modern toolkit that some industry leaders are already using to meet this new standard of care.

  • Prioritizing with KEV & EPSS: Most panelists agreed that CISA's KEV catalog is the definitive, non-negotiable source for immediate prioritization. The Exploit Prediction Scoring System (EPSS), which uses machine learning to predict the likelihood of a vulnerability being exploited, is also a valuable tool for predictive analysis. However, as one panelist from a leading cloud security firm noted, it's not a silver bullet. Context is still required, and in its absence, vendor-provided severity scores often remain a practical fallback for initial triage.
  • The Role of Agentic AI in Triage: To handle the sheer volume of vulnerability data, some organizations are leveraging agentic AI to perform the initial, automated triage at scale. This represents a leap beyond simple automation, where AI agents can perform multi-step analysis to contextualize findings. However, the panelists were unanimous in their caution. As one noted, while you can use AI for the initial triage, the final mitigation decision "can never be left in the hands of AI," emphasizing the continued need for human oversight and validation.
  • Innovative Approaches to Threat Surface Reduction: The most mature organizations are moving beyond just reacting to vulnerabilities. Another panelist highlighted a proactive strategy of using "distroless" containers, which dramatically reduces the baseline attack surface by over 80% from the start, meaning there are simply fewer vulnerabilities to manage in the first place.

5. Conclusion & Call to Action: The Path Forward

The transition to this new model will not be without its challenges. The panelists raised valid industry concerns, including the compliance overhead of chasing CVSS scores for non-critical assets and the need for better alignment between the requirements of FedRAMP, the DoD, and GovRAMP to enable true, cross-platform automation. Despite these complexities, the path forward is clear. The FedRAMP PMO has laid out an actionable timeline: public comment for RFC-0012 closes August 21st, after which the new standard will be piloted within the FedRAMP 20X initiative and a beta for Rev 5, with a final policy expected in 6-9 months.

The message is unambiguous: RFC-0012 is a forcing function. The era of slow, compliance-driven vulnerability management is over. The new standard of care is threat-informed, context-aware, and continuous. For CSPs, 3PAOs, and federal agencies, the time to prepare is now. This isn't just about preparing for 20X; the principles of threat-informed prioritization and contextual risk analysis are so fundamental that they will inevitably become the expected best practice for all federal authorizations, including the existing Rev 5 process.

Organizations should begin taking general steps to align with this future:

  • Conduct a Gap Analysis: Assess your current vulnerability management program against the tenets of RFC-0012. Identify the gaps in your technology, processes, and skills related to scanning frequency, prioritization logic, and remediation speed.
  • Invest in Context: Begin shifting your focus and tooling from a purely CVSS-based model to one that incorporates threat intelligence like KEV and predictive data like EPSS. Prioritize solutions that provide attack path analysis and can determine the real-world reachability of a vulnerability.
  • Embrace Automation: The timelines mandated by the RFC are a clear signal that manual processes are no longer viable. Invest in automating the entire vulnerability lifecycle, from discovery and ticketing to remediation and validation.
  • Upskill Your Teams: The shift from vulnerability management to exposure management requires a new skillset. Invest in training for your security and IT teams on threat intelligence analysis, risk-based prioritization, and the tools and techniques of a modern, proactive security program.

The line the FedRAMP PMO is drawing in the sand is making its intentions clear. For those who build, operate, and secure cloud systems for the public sector, the future of compliance is no longer about checking a box—it's about continuously proving you can outpace the threat.

References