@mitre/hdf-schema 3.0.0 → 3.1.0-rc.1

package/dist/ts/hdf-amendments.d.ts

@@ -1,5 +1,5 @@
 /**
- * Waivers, attestations, exceptions, and POA&Ms that modify requirement compliance status.
+ * Waivers, attestations, and POA&Ms that modify requirement compliance status or impact.
  * Amendments are standalone documents that can be applied to results via merge operations.
  */
 export interface HdfAmendments {
@@ -41,7 +41,7 @@ export interface HdfAmendments {
      */
     name: string;
     /**
-     * The set of amendments (waivers, attestations, exceptions, POA&Ms).
+     * The set of amendments (waivers, attestations, POA&Ms, and other overrides).
      */
     overrides: StandaloneOverride[];
     /**
@@ -158,9 +158,9 @@ export declare enum HashAlgorithm {
     Sha512 = "sha512"
 }
 /**
- * A standalone amendment that modifies a requirement's compliance status. Extends the
- * inline Status_Override concept with requirementId and baselineRef for use outside of
- * results documents.
+ * A standalone amendment that modifies a requirement's compliance status and/or impact
+ * score. At least one of status or impact must be set. Extends the inline Override concept
+ * with requirementId and baselineRef for use outside of results documents.
  */
 export interface StandaloneOverride {
     /**
@@ -190,6 +190,10 @@ export interface StandaloneOverride {
      * format.
      */
     expiresAt: Date;
+    /**
+     * Override to the requirement's impact score. At least one of status or impact must be set.
+     */
+    impact?: ImpactOverride;
     /**
      * componentId of the local component that provides this control. Set when the provider is
      * in the same system. Omit for external or cross-system providers; the reason field
@@ -219,10 +223,9 @@ export interface StandaloneOverride {
      */
     signature?: Signature;
     /**
-     * The new status this amendment sets. For POA&Ms, this is the current status (POA&Ms track
-     * work, they don't change status).
+     * The new status this amendment sets. Optional when only impact is being overridden.
      */
-    status: ResultStatus;
+    status?: ResultStatus;
     /**
      * The type of amendment.
      */
@@ -280,6 +283,20 @@ export declare enum EvidenceType {
     Screenshot = "screenshot",
     URL = "url"
 }
+/**
+ * Override to the requirement's impact score. At least one of status or impact must be
+ * set.
+ *
+ * An override to the requirement's impact score. The prior impact is the original result
+ * value or the preceding override in the chain.
+ */
+export interface ImpactOverride {
+    /**
+     * The overridden impact score (0.0–1.0).
+     */
+    value: number;
+    [property: string]: any;
+}
 /**
  * A milestone or task within a POA&M remediation plan.
  */
@@ -415,8 +432,7 @@ export interface VerificationMethod {
     [property: string]: any;
 }
 /**
- * The new status this amendment sets. For POA&Ms, this is the current status (POA&Ms track
- * work, they don't change status).
+ * The new status this amendment sets. Optional when only impact is being overridden.
  *
  * The status of an individual test result. 'notApplicable' indicates the requirement does
  * not apply to the target. 'notReviewed' indicates the requirement was not assessed (e.g.,
@@ -432,15 +448,27 @@ export declare enum ResultStatus {
 /**
  * The type of amendment.
  *
- * The type of amendment. 'waiver': risk accepted (AO). 'attestation': manually verified
- * (assessor). 'exception': not applicable (system owner + AO). 'poam': remediation tracked
- * (no status change). 'inherited': control provided by another component or system
- * (overrides to notApplicable/passed).
+ * The type of amendment, aligned with FedRAMP deviation request categories. 'waiver': risk
+ * accepted by Authorizing Official. 'attestation': manually verified by assessor. 'poam':
+ * remediation tracked (no status change). 'inherited': control provided by another
+ * component or system. 'falsePositive': scanner incorrectly identified a finding — for
+ * compliance scans (STIG, CIS), the check actually passes, so status is typically set to
+ * 'passed'; for vulnerability scans (CVE, SCA), the flagged vulnerability does not apply to
+ * this system, so status is typically set to 'notApplicable'. The disposition field on the
+ * requirement distinguishes false positives from genuinely not-applicable findings.
+ * 'riskAdjustment': impact score adjusted based on environmental context (FedRAMP Risk
+ * Adjustment); does not change pass/fail status, only impact via the impact field.
+ * 'operationalRequirement': deviation required by operational constraints (FedRAMP
+ * Operational Requirement); the finding cannot be remediated because the system requires
+ * the affected functionality. Remains an open risk. Migration note: 'exception' was removed
+ * in v3.1.0 — use 'waiver' with status 'notApplicable' instead.
  */
 export declare enum OverrideType {
     Attestation = "attestation",
-    Exception = "exception",
+    FalsePositive = "falsePositive",
     Inherited = "inherited",
+    OperationalRequirement = "operationalRequirement",
     Poam = "poam",
+    RiskAdjustment = "riskAdjustment",
     Waiver = "waiver"
 }

package/dist/ts/hdf-amendments.js

@@ -44,8 +44,7 @@ export var Status;
     Status["Pending"] = "pending";
 })(Status || (Status = {}));
 /**
- * The new status this amendment sets. For POA&Ms, this is the current status (POA&Ms track
- * work, they don't change status).
+ * The new status this amendment sets. Optional when only impact is being overridden.
  *
  * The status of an individual test result. 'notApplicable' indicates the requirement does
  * not apply to the target. 'notReviewed' indicates the requirement was not assessed (e.g.,
@@ -62,16 +61,28 @@ export var ResultStatus;
 /**
  * The type of amendment.
  *
- * The type of amendment. 'waiver': risk accepted (AO). 'attestation': manually verified
- * (assessor). 'exception': not applicable (system owner + AO). 'poam': remediation tracked
- * (no status change). 'inherited': control provided by another component or system
- * (overrides to notApplicable/passed).
+ * The type of amendment, aligned with FedRAMP deviation request categories. 'waiver': risk
+ * accepted by Authorizing Official. 'attestation': manually verified by assessor. 'poam':
+ * remediation tracked (no status change). 'inherited': control provided by another
+ * component or system. 'falsePositive': scanner incorrectly identified a finding — for
+ * compliance scans (STIG, CIS), the check actually passes, so status is typically set to
+ * 'passed'; for vulnerability scans (CVE, SCA), the flagged vulnerability does not apply to
+ * this system, so status is typically set to 'notApplicable'. The disposition field on the
+ * requirement distinguishes false positives from genuinely not-applicable findings.
+ * 'riskAdjustment': impact score adjusted based on environmental context (FedRAMP Risk
+ * Adjustment); does not change pass/fail status, only impact via the impact field.
+ * 'operationalRequirement': deviation required by operational constraints (FedRAMP
+ * Operational Requirement); the finding cannot be remediated because the system requires
+ * the affected functionality. Remains an open risk. Migration note: 'exception' was removed
+ * in v3.1.0 — use 'waiver' with status 'notApplicable' instead.
  */
 export var OverrideType;
 (function (OverrideType) {
     OverrideType["Attestation"] = "attestation";
-    OverrideType["Exception"] = "exception";
+    OverrideType["FalsePositive"] = "falsePositive";
     OverrideType["Inherited"] = "inherited";
+    OverrideType["OperationalRequirement"] = "operationalRequirement";
     OverrideType["Poam"] = "poam";
+    OverrideType["RiskAdjustment"] = "riskAdjustment";
     OverrideType["Waiver"] = "waiver";
 })(OverrideType || (OverrideType = {}));

package/dist/ts/hdf-amendments.ts

@@ -1,5 +1,5 @@
 /**
- * Waivers, attestations, exceptions, and POA&Ms that modify requirement compliance status.
+ * Waivers, attestations, and POA&Ms that modify requirement compliance status or impact.
  * Amendments are standalone documents that can be applied to results via merge operations.
  */
 export interface HdfAmendments {
@@ -39,7 +39,7 @@ export interface HdfAmendments {
      */
     name: string;
     /**
-     * The set of amendments (waivers, attestations, exceptions, POA&Ms).
+     * The set of amendments (waivers, attestations, POA&Ms, and other overrides).
      */
     overrides: StandaloneOverride[];
     /**
@@ -162,9 +162,9 @@ export enum HashAlgorithm {
 }
 
 /**
- * A standalone amendment that modifies a requirement's compliance status. Extends the
- * inline Status_Override concept with requirementId and baselineRef for use outside of
- * results documents.
+ * A standalone amendment that modifies a requirement's compliance status and/or impact
+ * score. At least one of status or impact must be set. Extends the inline Override concept
+ * with requirementId and baselineRef for use outside of results documents.
  */
 export interface StandaloneOverride {
     /**
@@ -194,6 +194,10 @@ export interface StandaloneOverride {
      * format.
      */
     expiresAt: Date;
+    /**
+     * Override to the requirement's impact score. At least one of status or impact must be set.
+     */
+    impact?: ImpactOverride;
     /**
      * componentId of the local component that provides this control. Set when the provider is
      * in the same system. Omit for external or cross-system providers; the reason field
@@ -223,10 +227,9 @@ export interface StandaloneOverride {
      */
     signature?: Signature;
     /**
-     * The new status this amendment sets. For POA&Ms, this is the current status (POA&Ms track
-     * work, they don't change status).
+     * The new status this amendment sets. Optional when only impact is being overridden.
      */
-    status: ResultStatus;
+    status?: ResultStatus;
     /**
      * The type of amendment.
      */
@@ -287,6 +290,21 @@ export enum EvidenceType {
     URL = "url",
 }
 
+/**
+ * Override to the requirement's impact score. At least one of status or impact must be
+ * set.
+ *
+ * An override to the requirement's impact score. The prior impact is the original result
+ * value or the preceding override in the chain.
+ */
+export interface ImpactOverride {
+    /**
+     * The overridden impact score (0.0–1.0).
+     */
+    value: number;
+    [property: string]: any;
+}
+
 /**
  * A milestone or task within a POA&M remediation plan.
  */
@@ -425,8 +443,7 @@ export interface VerificationMethod {
 }
 
 /**
- * The new status this amendment sets. For POA&Ms, this is the current status (POA&Ms track
- * work, they don't change status).
+ * The new status this amendment sets. Optional when only impact is being overridden.
  *
  * The status of an individual test result. 'notApplicable' indicates the requirement does
  * not apply to the target. 'notReviewed' indicates the requirement was not assessed (e.g.,
@@ -443,15 +460,27 @@ export enum ResultStatus {
 /**
  * The type of amendment.
  *
- * The type of amendment. 'waiver': risk accepted (AO). 'attestation': manually verified
- * (assessor). 'exception': not applicable (system owner + AO). 'poam': remediation tracked
- * (no status change). 'inherited': control provided by another component or system
- * (overrides to notApplicable/passed).
+ * The type of amendment, aligned with FedRAMP deviation request categories. 'waiver': risk
+ * accepted by Authorizing Official. 'attestation': manually verified by assessor. 'poam':
+ * remediation tracked (no status change). 'inherited': control provided by another
+ * component or system. 'falsePositive': scanner incorrectly identified a finding — for
+ * compliance scans (STIG, CIS), the check actually passes, so status is typically set to
+ * 'passed'; for vulnerability scans (CVE, SCA), the flagged vulnerability does not apply to
+ * this system, so status is typically set to 'notApplicable'. The disposition field on the
+ * requirement distinguishes false positives from genuinely not-applicable findings.
+ * 'riskAdjustment': impact score adjusted based on environmental context (FedRAMP Risk
+ * Adjustment); does not change pass/fail status, only impact via the impact field.
+ * 'operationalRequirement': deviation required by operational constraints (FedRAMP
+ * Operational Requirement); the finding cannot be remediated because the system requires
+ * the affected functionality. Remains an open risk. Migration note: 'exception' was removed
+ * in v3.1.0 — use 'waiver' with status 'notApplicable' instead.
  */
 export enum OverrideType {
     Attestation = "attestation",
-    Exception = "exception",
+    FalsePositive = "falsePositive",
     Inherited = "inherited",
+    OperationalRequirement = "operationalRequirement",
     Poam = "poam",
+    RiskAdjustment = "riskAdjustment",
     Waiver = "waiver",
 }

package/dist/ts/hdf-results.d.ts

@@ -417,8 +417,22 @@ export interface EvaluatedRequirement {
      */
     descriptions: Description[];
     /**
-     * The current effective status of this requirement after applying the most recent
-     * non-expired override, or computed from results if no overrides exist.
+     * The type of the most recent non-expired override or POAM governing this requirement.
+     * Indicates why the requirement is in its current state (e.g., waiver, falsePositive,
+     * riskAdjustment) or what remediation is being tracked (poam). Absent when no overrides or
+     * POAMs apply.
+     */
+    disposition?: OverrideType;
+    /**
+     * The current effective impact score (0.0–1.0) after applying the most recent non-expired
+     * override with an impact field. Absent when no impact overrides apply; consumers should
+     * use the requirement's impact field in that case.
+     */
+    effectiveImpact?: number;
+    /**
+     * The current effective compliance status of this requirement after applying the most
+     * recent non-expired override with a status field, or computed from results (worst-wins) if
+     * no status-bearing overrides exist.
      */
     effectiveStatus?: ResultStatus;
     /**
@@ -446,9 +460,10 @@ export interface EvaluatedRequirement {
      */
     sourceLocation?: SourceLocation;
     /**
-     * Chronological history of all status overrides applied to this requirement. Status
-     * overrides are intentional changes to the compliance status (waivers, attestations). Most
-     * recent override should be first in array. Preserves full audit trail.
+     * Chronological history of all overrides applied to this requirement. Overrides are
+     * intentional changes to the compliance status and/or impact score (waivers, attestations,
+     * false positives, risk adjustments). Most recent override should be first in array.
+     * Preserves full audit trail.
      */
     statusOverrides?: StatusOverride[];
     /**
@@ -494,8 +509,41 @@ export interface Description {
     [property: string]: any;
 }
 /**
- * The current effective status of this requirement after applying the most recent
- * non-expired override, or computed from results if no overrides exist.
+ * The type of the most recent non-expired override or POAM governing this requirement.
+ * Indicates why the requirement is in its current state (e.g., waiver, falsePositive,
+ * riskAdjustment) or what remediation is being tracked (poam). Absent when no overrides or
+ * POAMs apply.
+ *
+ * The type of amendment, aligned with FedRAMP deviation request categories. 'waiver': risk
+ * accepted by Authorizing Official. 'attestation': manually verified by assessor. 'poam':
+ * remediation tracked (no status change). 'inherited': control provided by another
+ * component or system. 'falsePositive': scanner incorrectly identified a finding — for
+ * compliance scans (STIG, CIS), the check actually passes, so status is typically set to
+ * 'passed'; for vulnerability scans (CVE, SCA), the flagged vulnerability does not apply to
+ * this system, so status is typically set to 'notApplicable'. The disposition field on the
+ * requirement distinguishes false positives from genuinely not-applicable findings.
+ * 'riskAdjustment': impact score adjusted based on environmental context (FedRAMP Risk
+ * Adjustment); does not change pass/fail status, only impact via the impact field.
+ * 'operationalRequirement': deviation required by operational constraints (FedRAMP
+ * Operational Requirement); the finding cannot be remediated because the system requires
+ * the affected functionality. Remains an open risk. Migration note: 'exception' was removed
+ * in v3.1.0 — use 'waiver' with status 'notApplicable' instead.
+ *
+ * The type of override applied to this requirement.
+ */
+export declare enum OverrideType {
+    Attestation = "attestation",
+    FalsePositive = "falsePositive",
+    Inherited = "inherited",
+    OperationalRequirement = "operationalRequirement",
+    Poam = "poam",
+    RiskAdjustment = "riskAdjustment",
+    Waiver = "waiver"
+}
+/**
+ * The current effective compliance status of this requirement after applying the most
+ * recent non-expired override with a status field, or computed from results (worst-wins) if
+ * no status-bearing overrides exist.
  *
  * The status of an individual test result. 'notApplicable' indicates the requirement does
  * not apply to the target. 'notReviewed' indicates the requirement was not assessed (e.g.,
@@ -503,8 +551,8 @@ export interface Description {
  *
  * The status of this test within the requirement. Example: 'failed'.
  *
- * The new status this override sets for the requirement. This intentionally changes the
- * compliance status.
+ * The new status this override sets for the requirement. Optional when only impact is being
+ * overridden.
  */
 export declare enum ResultStatus {
     Error = "error",
@@ -566,8 +614,8 @@ export interface Evidence {
  *
  * The identity that created this signature.
  *
- * Identity of who applied this status override. For simple cases, use type 'simple' with
- * just an identifier.
+ * Identity of who applied this override. For simple cases, use type 'simple' with just an
+ * identifier.
  *
  * Identity of the person or system that approved this override.
  *
@@ -664,6 +712,7 @@ export interface Poam {
     /**
      * The type of POA&M. 'remediation' fixes root cause. 'mitigation' reduces risk via
      * compensating controls. 'riskAcceptance' documents decision to accept risk.
+     * 'vendorDependency' tracks a fix that depends on a vendor releasing a patch or update.
      */
     type: PoamType;
     [property: string]: any;
@@ -790,11 +839,13 @@ export interface VerificationMethod {
 /**
  * The type of POA&M. 'remediation' fixes root cause. 'mitigation' reduces risk via
  * compensating controls. 'riskAcceptance' documents decision to accept risk.
+ * 'vendorDependency' tracks a fix that depends on a vendor releasing a patch or update.
  */
 export declare enum PoamType {
     Mitigation = "mitigation",
     Remediation = "remediation",
-    RiskAcceptance = "riskAcceptance"
+    RiskAcceptance = "riskAcceptance",
+    VendorDependency = "vendorDependency"
 }
 /**
  * A reference to an external document.
@@ -887,30 +938,34 @@ export interface SourceLocation {
     [property: string]: any;
 }
 /**
- * An intentional change to a requirement's compliance status (waiver or attestation).
- * Status overrides change the effectiveStatus of the requirement. All status overrides must
- * have an expiration date to enforce periodic review.
+ * An intentional change to a requirement's compliance status and/or impact score. At least
+ * one of status or impact must be set. Overrides change the effectiveStatus or impact of
+ * the requirement. All overrides must have an expiration date to enforce periodic review.
  */
 export interface StatusOverride {
     /**
-     * Timestamp when this status override was applied. ISO 8601 format.
+     * Timestamp when this override was applied. ISO 8601 format.
      */
     appliedAt: Date;
     /**
-     * Identity of who applied this status override. For simple cases, use type 'simple' with
-     * just an identifier.
+     * Identity of who applied this override. For simple cases, use type 'simple' with just an
+     * identifier.
      */
     appliedBy: Identity;
     /**
-     * Supporting evidence for this status override, such as screenshots demonstrating manual
+     * Supporting evidence for this override, such as screenshots demonstrating manual
      * verification for attestations.
      */
     evidence?: Evidence[];
     /**
-     * Timestamp when this status override expires and must be reviewed/renewed. REQUIRED - no
-     * permanent status overrides allowed. ISO 8601 format.
+     * Timestamp when this override expires and must be reviewed/renewed. REQUIRED - no
+     * permanent overrides allowed. ISO 8601 format.
      */
     expiresAt: Date;
+    /**
+     * Override to the requirement's impact score. At least one of status or impact must be set.
+     */
+    impact?: ImpactOverride;
     /**
      * SHA-256 checksum of the previous amendment in chronological order. Creates a
      * tamper-evident chain of amendments (similar to blockchain). Null for the first amendment
@@ -918,7 +973,7 @@ export interface StatusOverride {
      */
     previousChecksum?: Checksum;
     /**
-     * Explanation for why this status override was applied.
+     * Explanation for why this override was applied.
      */
     reason: string;
     /**
@@ -928,30 +983,29 @@ export interface StatusOverride {
      */
     signature?: Signature;
     /**
-     * The new status this override sets for the requirement. This intentionally changes the
-     * compliance status.
+     * The new status this override sets for the requirement. Optional when only impact is being
+     * overridden.
      */
-    status: ResultStatus;
+    status?: ResultStatus;
     /**
-     * The type of status override applied to this requirement.
+     * The type of override applied to this requirement.
      */
     type: OverrideType;
     [property: string]: any;
 }
 /**
- * The type of status override applied to this requirement.
+ * Override to the requirement's impact score. At least one of status or impact must be
+ * set.
  *
- * The type of amendment. 'waiver': risk accepted (AO). 'attestation': manually verified
- * (assessor). 'exception': not applicable (system owner + AO). 'poam': remediation tracked
- * (no status change). 'inherited': control provided by another component or system
- * (overrides to notApplicable/passed).
+ * An override to the requirement's impact score. The prior impact is the original result
+ * value or the preceding override in the chain.
  */
-export declare enum OverrideType {
-    Attestation = "attestation",
-    Exception = "exception",
-    Inherited = "inherited",
-    Poam = "poam",
-    Waiver = "waiver"
+export interface ImpactOverride {
+    /**
+     * The overridden impact score (0.0–1.0).
+     */
+    value: number;
+    [property: string]: any;
 }
 /**
  * A supported platform target. Example: the platform name being 'ubuntu'.

package/dist/ts/hdf-results.js

@@ -43,8 +43,42 @@ export var HashAlgorithm;
     HashAlgorithm["Sha512"] = "sha512";
 })(HashAlgorithm || (HashAlgorithm = {}));
 /**
- * The current effective status of this requirement after applying the most recent
- * non-expired override, or computed from results if no overrides exist.
+ * The type of the most recent non-expired override or POAM governing this requirement.
+ * Indicates why the requirement is in its current state (e.g., waiver, falsePositive,
+ * riskAdjustment) or what remediation is being tracked (poam). Absent when no overrides or
+ * POAMs apply.
+ *
+ * The type of amendment, aligned with FedRAMP deviation request categories. 'waiver': risk
+ * accepted by Authorizing Official. 'attestation': manually verified by assessor. 'poam':
+ * remediation tracked (no status change). 'inherited': control provided by another
+ * component or system. 'falsePositive': scanner incorrectly identified a finding — for
+ * compliance scans (STIG, CIS), the check actually passes, so status is typically set to
+ * 'passed'; for vulnerability scans (CVE, SCA), the flagged vulnerability does not apply to
+ * this system, so status is typically set to 'notApplicable'. The disposition field on the
+ * requirement distinguishes false positives from genuinely not-applicable findings.
+ * 'riskAdjustment': impact score adjusted based on environmental context (FedRAMP Risk
+ * Adjustment); does not change pass/fail status, only impact via the impact field.
+ * 'operationalRequirement': deviation required by operational constraints (FedRAMP
+ * Operational Requirement); the finding cannot be remediated because the system requires
+ * the affected functionality. Remains an open risk. Migration note: 'exception' was removed
+ * in v3.1.0 — use 'waiver' with status 'notApplicable' instead.
+ *
+ * The type of override applied to this requirement.
+ */
+export var OverrideType;
+(function (OverrideType) {
+    OverrideType["Attestation"] = "attestation";
+    OverrideType["FalsePositive"] = "falsePositive";
+    OverrideType["Inherited"] = "inherited";
+    OverrideType["OperationalRequirement"] = "operationalRequirement";
+    OverrideType["Poam"] = "poam";
+    OverrideType["RiskAdjustment"] = "riskAdjustment";
+    OverrideType["Waiver"] = "waiver";
+})(OverrideType || (OverrideType = {}));
+/**
+ * The current effective compliance status of this requirement after applying the most
+ * recent non-expired override with a status field, or computed from results (worst-wins) if
+ * no status-bearing overrides exist.
  *
  * The status of an individual test result. 'notApplicable' indicates the requirement does
  * not apply to the target. 'notReviewed' indicates the requirement was not assessed (e.g.,
@@ -52,8 +86,8 @@ export var HashAlgorithm;
  *
  * The status of this test within the requirement. Example: 'failed'.
  *
- * The new status this override sets for the requirement. This intentionally changes the
- * compliance status.
+ * The new status this override sets for the requirement. Optional when only impact is being
+ * overridden.
  */
 export var ResultStatus;
 (function (ResultStatus) {
@@ -100,12 +134,14 @@ export var Status;
 /**
  * The type of POA&M. 'remediation' fixes root cause. 'mitigation' reduces risk via
  * compensating controls. 'riskAcceptance' documents decision to accept risk.
+ * 'vendorDependency' tracks a fix that depends on a vendor releasing a patch or update.
  */
 export var PoamType;
 (function (PoamType) {
     PoamType["Mitigation"] = "mitigation";
     PoamType["Remediation"] = "remediation";
     PoamType["RiskAcceptance"] = "riskAcceptance";
+    PoamType["VendorDependency"] = "vendorDependency";
 })(PoamType || (PoamType = {}));
 /**
  * Explicit severity rating. Typically derived from impact score but provided explicitly for
@@ -121,22 +157,6 @@ export var Severity;
     Severity["Low"] = "low";
     Severity["Medium"] = "medium";
 })(Severity || (Severity = {}));
-/**
- * The type of status override applied to this requirement.
- *
- * The type of amendment. 'waiver': risk accepted (AO). 'attestation': manually verified
- * (assessor). 'exception': not applicable (system owner + AO). 'poam': remediation tracked
- * (no status change). 'inherited': control provided by another component or system
- * (overrides to notApplicable/passed).
- */
-export var OverrideType;
-(function (OverrideType) {
-    OverrideType["Attestation"] = "attestation";
-    OverrideType["Exception"] = "exception";
-    OverrideType["Inherited"] = "inherited";
-    OverrideType["Poam"] = "poam";
-    OverrideType["Waiver"] = "waiver";
-})(OverrideType || (OverrideType = {}));
 export var CloudProvider;
 (function (CloudProvider) {
     CloudProvider["Aws"] = "aws";