The Paramify Podcast

The VDR Mandate Is Here: FedRAMP NTC-0014 and CISA BOD 26-04 Explained


Listen Later

Monthly vulnerability scans and POA&M spreadsheets aren't going to cut it anymore. Kenny and Isaac break down FedRAMP NTC-0014 and CISA BOD 26-04, the two mandates reshaping how cloud service providers approach vulnerability management, and what CSPs need to do before the December 7, 2026 deadline hits.

They cover why AI has fundamentally changed the threat landscape, how tools like Wiz are helping teams understand attack paths instead of just CVE lists, and what the FedRAMP VDR/VER standard actually requires in practice. Plus, why showing red in your trust center might be the best thing you can do for agency confidence.

If you're a CSP still running manual scans and hoping for the best, this one's for you.

Resources mentioned:

- FedRAMP NTC-0014 (VDR/VER Mandate): https://www.fedramp.gov/notices/0014/

- FedRAMP VDR Technical Docs: https://www.fedramp.gov/docs/20x/vulnerability-detection-and-response/
- CISA BOD 26-04 Implementation Guidance: https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- CISA SSVC Decision Tree Methodology: https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc
- FedRAMP NTC-0013 (Rev 5 Sunset): https://www.fedramp.gov/notices/0013/
- FedRAMP Marketplace: https://marketplace.fedramp.gov/

Learn more about Paramify: https://www.paramify.com/

Chapters:

0:00 - Transparency in Trust Centers: Why Agencies Want to See Red
0:13 - Episode Intro & FedRAMP NTC-0014 Explained
3:24 - CISA BOD 26-04 and the December 7, 2026 Deadline
5:46 - Why the Old FedRAMP Approach Is Broken
9:01 - How AI Changed the Vulnerability Landscape
11:35 - DARPA's AI Cyber Challenge at DEF CON
13:12 - Risk-Based Vulnerability Prioritization: The FedRAMP VDR Response
15:15 - Smart Architecture as a Security Foundation
20:14 - The FedRAMP VDR Standard: Scanning Requirements
21:27 - SSVC Decision Tree: Triage Methodology
22:14 - What "Internet Reachable" Actually Means
24:07 - Likely Exploitable: The CISA KEV List
26:58 - Agency Impact and the Pain Scale
28:25 - Pain Level Timelines by FedRAMP Class
31:00 - Ditching the POA&M Spreadsheet Mindset
32:10 - What to Stop Doing in the Old Model
34:17 - Boundary Diagrams vs. Terraform Truth
36:24 - Why Transparency Wins with Agency Customers
41:08 - Trust Centers Done Right: The OpenAI Status Page Example
43:06 - What Large Orgs Getting Ahead Are Doing
45:06 - Incident Response and Vulnerability Management: Blurring Lines
46:55 - Outro

...more
View all episodesView all episodes
Download on the App Store

The Paramify PodcastBy Paramify