@mitre/hdf-schema 3.0.1 → 3.1.0-rc.1

package/dist/schemas/hdf-results.schema.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://mitre.github.io/hdf-libs/schemas/hdf-results/v3.0.0",
+  "$id": "https://mitre.github.io/hdf-libs/schemas/hdf-results/v3.1.0",
   "type": "object",
   "unevaluatedProperties": false,
   "required": [
@@ -20,7 +20,7 @@
     "components": {
       "type": "array",
       "items": {
-        "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.0.0#/$defs/Component"
+        "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.1.0#/$defs/Component"
       },
       "description": "The components that were assessed. Each component describes a system element (host, container, cloud resource, application, etc.) with optional identity, SBOM, and external references."
     },
@@ -32,27 +32,27 @@
       "description": "Information on the baselines that were evaluated, including findings."
     },
     "statistics": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/statistics/v3.0.0#/$defs/Statistics",
+      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/statistics/v3.1.0#/$defs/Statistics",
       "description": "Statistics for the assessment run, including duration and result counts."
     },
     "generator": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Generator",
+      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/Generator",
       "description": "Information about the tool that generated this file."
     },
     "tool": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Tool",
+      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/Tool",
       "description": "The security tool that produced the assessment data in this file."
     },
     "integrity": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Integrity",
+      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/Integrity",
       "description": "Cryptographic integrity information for verifying this file."
     },
     "runner": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/runner/v3.0.0#/$defs/Runner",
+      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/runner/v3.1.0#/$defs/Runner",
       "description": "Information about the test execution environment where the security tool was run. Distinct from targets (what is being tested)."
     },
     "remediation": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Remediation",
+      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Remediation",
       "description": "Optional reference to automated remediation resources (Ansible playbooks, Terraform scripts, etc.) for fixing failing requirements found in this assessment."
     },
     "systemRef": {
@@ -160,14 +160,14 @@
       ],
       "allOf": [
         {
-          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Baseline_Metadata"
+          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Baseline_Metadata"
         }
       ],
       "properties": {
         "depends": {
           "type": "array",
           "items": {
-            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Dependency"
+            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Dependency"
           },
           "description": "The set of dependencies this baseline depends on."
         },
@@ -180,15 +180,15 @@
           "description": "The description - should be more detailed than the summary."
         },
         "integrity": {
-          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Integrity",
+          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/Integrity",
           "description": "Cryptographic integrity information for verifying this baseline has not been tampered with."
         },
         "originalChecksum": {
-          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Checksum",
+          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Checksum",
           "description": "SHA-256 checksum of the original baseline definition file (before execution). This is an immutable reference to the baseline as defined, used to detect tampering with baseline requirements or metadata."
         },
         "resultsChecksum": {
-          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Checksum",
+          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Checksum",
           "description": "SHA-256 checksum of the raw results before any amendments (statusOverrides or POAMs). Used to detect tampering with test results. Compare with currentChecksum to verify amendment integrity."
         },
         "statusMessage": {
@@ -206,14 +206,14 @@
         "groups": {
           "type": "array",
           "items": {
-            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Requirement_Group"
+            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Requirement_Group"
           },
           "description": "A set of descriptions for the requirement groups."
         },
         "inputs": {
           "type": "array",
           "items": {
-            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/parameter/v3.0.0#/$defs/Input"
+            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/parameter/v3.1.0#/$defs/Input"
           },
           "description": "Typed inputs used to parameterize this baseline at execution time. See the Input primitive for the full schema."
         },
@@ -238,7 +238,7 @@
       ],
       "allOf": [
         {
-          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Requirement_Core"
+          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Requirement_Core"
         }
       ],
       "properties": {
@@ -246,7 +246,7 @@
           "type": "array",
           "minItems": 1,
           "items": {
-            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.0.0#/$defs/Requirement_Description"
+            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0#/$defs/Requirement_Description"
           },
           "contains": {
             "type": "object",
@@ -262,53 +262,343 @@
           "description": "Array of labeled descriptions. At least one description with label 'default' must be present. Convention: place default description first. Common labels: 'default', 'check', 'fix', 'rationale'."
         },
         "severity": {
-          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Severity",
+          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Severity",
           "description": "Explicit severity rating. Typically derived from impact score but provided explicitly for clarity."
         },
         "sourceLocation": {
-          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Source_Location",
+          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Source_Location",
           "description": "The explicit location of the requirement within the source code."
         },
         "results": {
           "type": "array",
           "minItems": 1,
           "items": {
-            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.0.0#/$defs/Requirement_Result"
+            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0#/$defs/Requirement_Result"
           },
           "description": "The set of all tests within the requirement and their results."
         },
         "statusOverrides": {
           "type": "array",
           "items": {
-            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Status_Override"
+            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/Status_Override"
           },
-          "description": "Chronological history of all status overrides applied to this requirement. Status overrides are intentional changes to the compliance status (waivers, attestations). Most recent override should be first in array. Preserves full audit trail."
+          "description": "Chronological history of all overrides applied to this requirement. Overrides are intentional changes to the compliance status and/or impact score (waivers, attestations, false positives, risk adjustments). Most recent override should be first in array. Preserves full audit trail."
         },
         "poams": {
           "type": "array",
           "items": {
-            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/POAM"
+            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/POAM"
           },
           "description": "Plan of Action and Milestones for tracking remediation, mitigation, or risk acceptance. POAMs do NOT change effectiveStatus - they track the work being done to address a failure. Separate from statusOverrides which DO change status."
         },
         "effectiveStatus": {
-          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.0.0#/$defs/Result_Status",
-          "description": "The current effective status of this requirement after applying the most recent non-expired override, or computed from results if no overrides exist."
+          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0#/$defs/Result_Status",
+          "description": "The current effective compliance status of this requirement after applying the most recent non-expired override with a status field, or computed from results (worst-wins) if no status-bearing overrides exist."
+        },
+        "effectiveImpact": {
+          "type": "number",
+          "minimum": 0,
+          "maximum": 1,
+          "description": "The current effective impact score (0.0–1.0) after applying the most recent non-expired override with an impact field. Absent when no impact overrides apply; consumers should use the requirement's impact field in that case."
+        },
+        "disposition": {
+          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.1.0#/$defs/Override_Type",
+          "description": "The type of the most recent non-expired override or POAM governing this requirement. Indicates why the requirement is in its current state (e.g., waiver, falsePositive, riskAdjustment) or what remediation is being tracked (poam). Absent when no overrides or POAMs apply."
         },
         "evidence": {
           "type": "array",
           "items": {
-            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Evidence"
+            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Evidence"
           },
           "description": "Supporting evidence for this requirement's findings, such as screenshots, code samples, or log excerpts."
         }
       },
+      "examples": [
+        {
+          "$comment": "Passing requirement — no overrides, no disposition",
+          "id": "SV-230222",
+          "title": "RHEL 9 must use SSH protocol version 2",
+          "impact": 0.7,
+          "tags": {
+            "nist": [
+              "SC-8"
+            ]
+          },
+          "descriptions": [
+            {
+              "label": "default",
+              "data": "SSH must use protocol version 2."
+            }
+          ],
+          "results": [
+            {
+              "status": "passed",
+              "codeDesc": "sshd_config Protocol is expected to eq 2",
+              "startTime": "2026-01-15T10:00:00Z"
+            }
+          ],
+          "effectiveStatus": "passed"
+        },
+        {
+          "$comment": "Waiver — AO accepted risk, status overridden to passed",
+          "id": "SV-230300",
+          "title": "RHEL 9 must enforce password complexity",
+          "impact": 0.5,
+          "tags": {
+            "nist": [
+              "IA-5 (1)"
+            ]
+          },
+          "descriptions": [
+            {
+              "label": "default",
+              "data": "Passwords must meet complexity requirements."
+            }
+          ],
+          "results": [
+            {
+              "status": "failed",
+              "codeDesc": "pwquality.conf minlen is expected to be >= 15",
+              "startTime": "2026-01-15T10:00:00Z",
+              "message": "expected 8 to be >= 15"
+            }
+          ],
+          "statusOverrides": [
+            {
+              "type": "waiver",
+              "status": "passed",
+              "reason": "Compensating control: PIV/CAC smart card authentication enforced for all users, password login disabled",
+              "appliedBy": {
+                "type": "email",
+                "identifier": "ao@agency.gov"
+              },
+              "appliedAt": "2026-01-20T10:00:00Z",
+              "expiresAt": "2026-07-20T00:00:00Z"
+            }
+          ],
+          "effectiveStatus": "passed",
+          "disposition": "waiver"
+        },
+        {
+          "$comment": "False positive (compliance scan) — STIG check was wrong, requirement actually passes",
+          "id": "SV-230410",
+          "title": "RHEL 9 must have sshd PermitRootLogin disabled",
+          "impact": 0.7,
+          "tags": {
+            "nist": [
+              "AC-6"
+            ]
+          },
+          "descriptions": [
+            {
+              "label": "default",
+              "data": "Direct root login via SSH must be disabled."
+            }
+          ],
+          "results": [
+            {
+              "status": "failed",
+              "codeDesc": "sshd_config PermitRootLogin is expected to eq 'no'",
+              "startTime": "2026-01-15T10:00:00Z",
+              "message": "expected 'prohibit-password' to eq 'no'"
+            }
+          ],
+          "statusOverrides": [
+            {
+              "type": "falsePositive",
+              "status": "passed",
+              "reason": "Scanner requires literal 'no' but 'prohibit-password' is equally restrictive (disables password-based root login). Manual review confirms root cannot authenticate via SSH.",
+              "appliedBy": {
+                "type": "email",
+                "identifier": "assessor@agency.gov"
+              },
+              "appliedAt": "2026-01-16T14:00:00Z",
+              "expiresAt": "2026-07-16T00:00:00Z"
+            }
+          ],
+          "effectiveStatus": "passed",
+          "disposition": "falsePositive"
+        },
+        {
+          "$comment": "False positive (CVE scan) — vulnerability does not apply to this build",
+          "id": "CVE-2026-12345",
+          "title": "libxml2 buffer overflow in xmlParseEntityDecl",
+          "impact": 0.9,
+          "tags": {
+            "nist": [
+              "SI-2",
+              "RA-5"
+            ]
+          },
+          "descriptions": [
+            {
+              "label": "default",
+              "data": "Buffer overflow in libxml2 entity parsing allows remote code execution."
+            }
+          ],
+          "results": [
+            {
+              "status": "failed",
+              "codeDesc": "libxml2 >= 2.9.0 is expected to be patched for CVE-2026-12345",
+              "startTime": "2026-01-15T10:00:00Z"
+            }
+          ],
+          "statusOverrides": [
+            {
+              "type": "falsePositive",
+              "status": "notApplicable",
+              "reason": "CVE scanner matched libxml2 version signature, but the vulnerable entity parsing module is compiled out of our build (--without-legacy flag). The affected code path does not exist in the binary.",
+              "appliedBy": {
+                "type": "email",
+                "identifier": "dev@org.gov"
+              },
+              "appliedAt": "2026-01-16T09:00:00Z",
+              "expiresAt": "2026-07-16T00:00:00Z"
+            }
+          ],
+          "effectiveStatus": "notApplicable",
+          "disposition": "falsePositive"
+        },
+        {
+          "$comment": "Risk adjustment — impact lowered, pass/fail unchanged",
+          "id": "CVE-2026-67890",
+          "title": "OpenSSL timing side-channel in RSA decryption",
+          "impact": 0.7,
+          "tags": {
+            "nist": [
+              "SI-2",
+              "RA-5"
+            ]
+          },
+          "descriptions": [
+            {
+              "label": "default",
+              "data": "Timing side-channel may allow RSA private key recovery."
+            }
+          ],
+          "results": [
+            {
+              "status": "failed",
+              "codeDesc": "openssl >= 3.1.0 is expected to be patched for CVE-2026-67890",
+              "startTime": "2026-01-15T10:00:00Z"
+            }
+          ],
+          "statusOverrides": [
+            {
+              "type": "riskAdjustment",
+              "impact": {
+                "value": 0.3
+              },
+              "reason": "The RSA key exchange path is unreachable in our deployment — all TLS connections use ECDHE. Attack requires local network access to the TLS terminator, which is in an isolated VLAN.",
+              "appliedBy": {
+                "type": "email",
+                "identifier": "security-architect@org.gov"
+              },
+              "appliedAt": "2026-01-17T10:00:00Z",
+              "expiresAt": "2026-07-17T00:00:00Z"
+            }
+          ],
+          "effectiveStatus": "failed",
+          "effectiveImpact": 0.3,
+          "disposition": "riskAdjustment"
+        },
+        {
+          "$comment": "Operational requirement — cannot remediate, remains open risk",
+          "id": "SV-230500",
+          "title": "RHEL 9 must disable USB mass storage",
+          "impact": 0.5,
+          "tags": {
+            "nist": [
+              "MP-7"
+            ]
+          },
+          "descriptions": [
+            {
+              "label": "default",
+              "data": "USB mass storage kernel module must be disabled."
+            }
+          ],
+          "results": [
+            {
+              "status": "failed",
+              "codeDesc": "Kernel module 'usb-storage' is expected to be disabled",
+              "startTime": "2026-01-15T10:00:00Z",
+              "message": "usb-storage module is loaded"
+            }
+          ],
+          "statusOverrides": [
+            {
+              "type": "operationalRequirement",
+              "status": "failed",
+              "reason": "Air-gapped system requires USB transfer for classified data ingestion per operational procedure OP-2026-003. Compensating controls: USB ports are physically secured, all transfers are logged and require two-person integrity.",
+              "appliedBy": {
+                "type": "email",
+                "identifier": "system-owner@agency.gov"
+              },
+              "appliedAt": "2026-01-20T10:00:00Z",
+              "expiresAt": "2026-07-20T00:00:00Z"
+            }
+          ],
+          "effectiveStatus": "failed",
+          "disposition": "operationalRequirement"
+        },
+        {
+          "$comment": "POAM — remediation tracked, status unchanged",
+          "id": "SV-230350",
+          "title": "RHEL 9 must be patched within 30 days of release",
+          "impact": 0.7,
+          "tags": {
+            "nist": [
+              "SI-2"
+            ]
+          },
+          "descriptions": [
+            {
+              "label": "default",
+              "data": "Security patches must be applied within 30 days."
+            }
+          ],
+          "results": [
+            {
+              "status": "failed",
+              "codeDesc": "Package updates are expected to be current within 30 days",
+              "startTime": "2026-01-15T10:00:00Z",
+              "message": "15 packages have patches older than 30 days"
+            }
+          ],
+          "poams": [
+            {
+              "type": "remediation",
+              "explanation": "Patch deployment blocked by vendor compatibility testing. Vendor confirmed fix for Q2 2026.",
+              "appliedBy": {
+                "type": "email",
+                "identifier": "ops@agency.gov"
+              },
+              "appliedAt": "2026-01-20T10:00:00Z",
+              "milestones": [
+                {
+                  "description": "Vendor releases compatible patch",
+                  "estimatedCompletion": "2026-04-01T00:00:00Z",
+                  "status": "pending"
+                },
+                {
+                  "description": "Deploy to production",
+                  "estimatedCompletion": "2026-04-15T00:00:00Z",
+                  "status": "pending"
+                }
+              ]
+            }
+          ],
+          "effectiveStatus": "failed",
+          "disposition": "poam"
+        }
+      ],
       "description": "A requirement that has been evaluated, including any findings.",
       "title": "Evaluated Requirement"
     },
-    "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.0.0": {
+    "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.1.0": {
       "$schema": "https://json-schema.org/draft/2020-12/schema",
-      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.0.0",
+      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.1.0",
       "title": "HDF Component Primitives",
       "description": "First-class system component with identity, polymorphic type, SBOM embedding, and system-binding properties. Components are the successor to Targets, adding stable identity (componentId), external system cross-references, and software inventory.",
       "$defs": {
@@ -338,7 +628,7 @@
               "description": "Description of this component's role or purpose."
             },
             "owner": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Identity",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity",
               "description": "Team or individual responsible for this component. Enables per-component ownership when different teams manage different parts of a system."
             },
             "externalIds": {
@@ -382,12 +672,12 @@
             "inputOverrides": {
               "type": "array",
               "items": {
-                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.0.0#/$defs/Input_Override"
+                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.1.0#/$defs/Input_Override"
               },
               "description": "System-specific overrides for baseline input values."
             },
             "targetSelector": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.0.0#/$defs/Target_Selector",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.1.0#/$defs/Target_Selector",
               "description": "Label selector to match targets belonging to this component during migration. Targets with matching labels are automatically included."
             }
           },
@@ -707,7 +997,7 @@
                   "const": "cloudAccount"
                 },
                 "provider": {
-                  "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Cloud_Provider",
+                  "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Cloud_Provider",
                   "description": "Cloud provider."
                 },
                 "accountId": {
@@ -746,7 +1036,7 @@
                   "const": "cloudResource"
                 },
                 "provider": {
-                  "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Cloud_Provider",
+                  "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Cloud_Provider",
                   "description": "Cloud provider."
                 },
                 "resourceType": {
@@ -926,9 +1216,9 @@
         }
       }
     },
-    "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0": {
+    "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0": {
       "$schema": "https://json-schema.org/draft/2020-12/schema",
-      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0",
+      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0",
       "title": "HDF Common Primitives",
       "description": "Shared building blocks used by hdf-results and hdf-baseline schemas.",
       "$defs": {
@@ -1744,9 +2034,9 @@
         }
       }
     },
-    "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.0.0": {
+    "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.1.0": {
       "$schema": "https://json-schema.org/draft/2020-12/schema",
-      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.0.0",
+      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.1.0",
       "title": "HDF System Primitives",
       "description": "Types for describing system architecture, authorization boundaries, and components.",
       "$defs": {
@@ -1797,7 +2087,7 @@
               "description": "Rationale for why this override is needed."
             },
             "approvedBy": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Identity",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity",
               "description": "Identity of the person or system that approved this override."
             }
           },
@@ -1878,9 +2168,9 @@
         }
       }
     },
-    "https://mitre.github.io/hdf-libs/schemas/primitives/statistics/v3.0.0": {
+    "https://mitre.github.io/hdf-libs/schemas/primitives/statistics/v3.1.0": {
       "$schema": "https://json-schema.org/draft/2020-12/schema",
-      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/statistics/v3.0.0",
+      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/statistics/v3.1.0",
       "title": "HDF Statistics Primitives",
       "description": "Statistics types for tracking assessment run metrics.",
       "$defs": {
@@ -1949,9 +2239,9 @@
         }
       }
     },
-    "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0": {
+    "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0": {
       "$schema": "https://json-schema.org/draft/2020-12/schema",
-      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0",
+      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0",
       "title": "HDF Extension Primitives",
       "description": "Extension types for waivers, attestations, generators, and integrity.",
       "$defs": {
@@ -1960,52 +2250,67 @@
           "unevaluatedProperties": false,
           "required": [
             "type",
-            "status",
             "reason",
             "appliedBy",
             "appliedAt",
             "expiresAt"
           ],
+          "anyOf": [
+            {
+              "required": [
+                "status"
+              ]
+            },
+            {
+              "required": [
+                "impact"
+              ]
+            }
+          ],
           "properties": {
             "type": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.0.0#/$defs/Override_Type",
-              "description": "The type of status override applied to this requirement."
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.1.0#/$defs/Override_Type",
+              "description": "The type of override applied to this requirement."
             },
             "status": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.0.0#/$defs/Result_Status",
-              "description": "The new status this override sets for the requirement. This intentionally changes the compliance status."
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0#/$defs/Result_Status",
+              "description": "The new status this override sets for the requirement. Optional when only impact is being overridden."
+            },
+            "impact": {
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.1.0#/$defs/Impact_Override",
+              "description": "Override to the requirement's impact score. At least one of status or impact must be set."
             },
             "reason": {
               "type": "string",
-              "description": "Explanation for why this status override was applied."
+              "description": "Explanation for why this override was applied."
             },
             "appliedBy": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Identity",
-              "description": "Identity of who applied this status override. For simple cases, use type 'simple' with just an identifier."
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity",
+              "description": "Identity of who applied this override. For simple cases, use type 'simple' with just an identifier."
             },
             "appliedAt": {
               "type": "string",
               "format": "date-time",
-              "description": "Timestamp when this status override was applied. ISO 8601 format."
+              "description": "Timestamp when this override was applied. ISO 8601 format."
             },
             "expiresAt": {
               "type": "string",
               "format": "date-time",
-              "description": "Timestamp when this status override expires and must be reviewed/renewed. REQUIRED - no permanent status overrides allowed. ISO 8601 format."
+              "description": "Timestamp when this override expires and must be reviewed/renewed. REQUIRED - no permanent overrides allowed. ISO 8601 format."
             },
             "signature": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Signature",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Signature",
               "description": "Optional digital signature for enhanced trust and non-repudiation. Supports hardware security tokens (PKCS#11/PKCS#12), Yubikeys, GPG keys, passkeys, and other signing methods."
             },
             "evidence": {
               "type": "array",
               "items": {
-                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Evidence"
+                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Evidence"
               },
-              "description": "Supporting evidence for this status override, such as screenshots demonstrating manual verification for attestations."
+              "description": "Supporting evidence for this override, such as screenshots demonstrating manual verification for attestations."
             },
             "previousChecksum": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Checksum",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Checksum",
               "description": "SHA-256 checksum of the previous amendment in chronological order. Creates a tamper-evident chain of amendments (similar to blockchain). Null for the first amendment on a requirement."
             }
           },
@@ -2021,6 +2326,41 @@
               "appliedAt": "2025-12-01T10:00:00Z",
               "expiresAt": "2026-12-01T00:00:00Z"
             },
+            {
+              "type": "riskAdjustment",
+              "impact": {
+                "value": 0.3
+              },
+              "reason": "CVE-123 is in a dead code path, unreachable from any entry point",
+              "appliedBy": {
+                "identifier": "dev@org.gov",
+                "type": "email"
+              },
+              "appliedAt": "2026-04-14T10:00:00Z",
+              "expiresAt": "2026-10-14T00:00:00Z"
+            },
+            {
+              "type": "falsePositive",
+              "status": "passed",
+              "reason": "STIG check misidentified sshd_config syntax; manual review confirms compliant configuration",
+              "appliedBy": {
+                "identifier": "assessor@agency.gov",
+                "type": "email"
+              },
+              "appliedAt": "2026-04-14T10:00:00Z",
+              "expiresAt": "2026-10-14T00:00:00Z"
+            },
+            {
+              "type": "falsePositive",
+              "status": "notApplicable",
+              "reason": "CVE scanner matched library signature but the vulnerable code path is not present — dependency compiled with affected module disabled",
+              "appliedBy": {
+                "identifier": "dev@org.gov",
+                "type": "email"
+              },
+              "appliedAt": "2026-04-14T10:00:00Z",
+              "expiresAt": "2026-10-14T00:00:00Z"
+            },
             {
               "type": "attestation",
               "status": "passed",
@@ -2048,7 +2388,7 @@
               ]
             }
           ],
-          "description": "An intentional change to a requirement's compliance status (waiver or attestation). Status overrides change the effectiveStatus of the requirement. All status overrides must have an expiration date to enforce periodic review.",
+          "description": "An intentional change to a requirement's compliance status and/or impact score. At least one of status or impact must be set. Overrides change the effectiveStatus or impact of the requirement. All overrides must have an expiration date to enforce periodic review.",
           "title": "Status Override"
         },
         "POAM": {
@@ -2066,16 +2406,17 @@
               "enum": [
                 "remediation",
                 "mitigation",
-                "riskAcceptance"
+                "riskAcceptance",
+                "vendorDependency"
               ],
-              "description": "The type of POA&M. 'remediation' fixes root cause. 'mitigation' reduces risk via compensating controls. 'riskAcceptance' documents decision to accept risk."
+              "description": "The type of POA&M. 'remediation' fixes root cause. 'mitigation' reduces risk via compensating controls. 'riskAcceptance' documents decision to accept risk. 'vendorDependency' tracks a fix that depends on a vendor releasing a patch or update."
             },
             "explanation": {
               "type": "string",
               "description": "Detailed explanation of the plan, including what actions will be taken."
             },
             "appliedBy": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Identity",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity",
               "description": "Identity of who created this POA&M. For simple cases, use type 'simple' with just an identifier."
             },
             "appliedAt": {
@@ -2091,23 +2432,23 @@
             "milestones": {
               "type": "array",
               "items": {
-                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Milestone"
+                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Milestone"
               },
               "description": "Optional array of milestones tracking progress toward completion."
             },
             "signature": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Signature",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Signature",
               "description": "Optional digital signature for enhanced trust and non-repudiation."
             },
             "evidence": {
               "type": "array",
               "items": {
-                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Evidence"
+                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Evidence"
               },
               "description": "Supporting evidence for this POA&M, such as documentation of compensating controls or mitigation implementation."
             },
             "previousChecksum": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Checksum",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Checksum",
               "description": "SHA-256 checksum of the previous amendment in chronological order. Creates a tamper-evident chain of amendments (similar to blockchain). Null for the first amendment on a requirement."
             }
           },
@@ -2258,7 +2599,7 @@
           },
           "properties": {
             "algorithm": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Hash_Algorithm",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Hash_Algorithm",
               "description": "The hash algorithm used for the checksum."
             },
             "checksum": {
@@ -2291,36 +2632,66 @@
         }
       }
     },
-    "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.0.0": {
+    "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.1.0": {
       "$schema": "https://json-schema.org/draft/2020-12/schema",
-      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.0.0",
+      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.1.0",
       "title": "HDF Amendment Primitives",
-      "description": "Types for waivers, attestations, exceptions, and POA&Ms that modify requirement compliance status.",
+      "description": "Types for waivers, attestations, and POA&Ms that modify requirement compliance status.",
       "$defs": {
         "Override_Type": {
           "type": "string",
           "enum": [
             "waiver",
             "attestation",
-            "exception",
             "poam",
-            "inherited"
+            "inherited",
+            "falsePositive",
+            "riskAdjustment",
+            "operationalRequirement"
           ],
-          "description": "The type of amendment. 'waiver': risk accepted (AO). 'attestation': manually verified (assessor). 'exception': not applicable (system owner + AO). 'poam': remediation tracked (no status change). 'inherited': control provided by another component or system (overrides to notApplicable/passed).",
+          "description": "The type of amendment, aligned with FedRAMP deviation request categories. 'waiver': risk accepted by Authorizing Official. 'attestation': manually verified by assessor. 'poam': remediation tracked (no status change). 'inherited': control provided by another component or system. 'falsePositive': scanner incorrectly identified a finding — for compliance scans (STIG, CIS), the check actually passes, so status is typically set to 'passed'; for vulnerability scans (CVE, SCA), the flagged vulnerability does not apply to this system, so status is typically set to 'notApplicable'. The disposition field on the requirement distinguishes false positives from genuinely not-applicable findings. 'riskAdjustment': impact score adjusted based on environmental context (FedRAMP Risk Adjustment); does not change pass/fail status, only impact via the impact field. 'operationalRequirement': deviation required by operational constraints (FedRAMP Operational Requirement); the finding cannot be remediated because the system requires the affected functionality. Remains an open risk. Migration note: 'exception' was removed in v3.1.0 — use 'waiver' with status 'notApplicable' instead.",
           "title": "Override Type"
         },
+        "Impact_Override": {
+          "type": "object",
+          "required": [
+            "value"
+          ],
+          "unevaluatedProperties": false,
+          "properties": {
+            "value": {
+              "type": "number",
+              "minimum": 0,
+              "maximum": 1,
+              "description": "The overridden impact score (0.0–1.0)."
+            }
+          },
+          "description": "An override to the requirement's impact score. The prior impact is the original result value or the preceding override in the chain.",
+          "title": "Impact Override"
+        },
         "Standalone_Override": {
           "type": "object",
           "unevaluatedProperties": false,
           "required": [
             "type",
             "requirementId",
-            "status",
             "reason",
             "appliedBy",
             "appliedAt",
             "expiresAt"
           ],
+          "anyOf": [
+            {
+              "required": [
+                "status"
+              ]
+            },
+            {
+              "required": [
+                "impact"
+              ]
+            }
+          ],
           "properties": {
             "type": {
               "$ref": "#/$defs/Override_Type",
@@ -2335,15 +2706,19 @@
               "description": "Name of the baseline containing the requirement. Required when the system has multiple baselines with potentially overlapping requirement IDs."
             },
             "status": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.0.0#/$defs/Result_Status",
-              "description": "The new status this amendment sets. For POA&Ms, this is the current status (POA&Ms track work, they don't change status)."
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0#/$defs/Result_Status",
+              "description": "The new status this amendment sets. Optional when only impact is being overridden."
+            },
+            "impact": {
+              "$ref": "#/$defs/Impact_Override",
+              "description": "Override to the requirement's impact score. At least one of status or impact must be set."
             },
             "reason": {
               "type": "string",
               "description": "Justification for this amendment."
             },
             "appliedBy": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Identity",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity",
               "description": "Identity of who applied this amendment."
             },
             "appliedAt": {
@@ -2359,22 +2734,22 @@
             "evidence": {
               "type": "array",
               "items": {
-                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Evidence"
+                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Evidence"
               },
               "description": "Supporting evidence (screenshots, logs, URLs, documents)."
             },
             "signature": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Signature",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Signature",
               "description": "Digital signature for non-repudiation."
             },
             "previousChecksum": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Checksum",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Checksum",
               "description": "Checksum of the prior amendment in the chain. Creates a tamper-evident linked list. Null for the first amendment."
             },
             "milestones": {
               "type": "array",
               "items": {
-                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Milestone"
+                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Milestone"
               },
               "description": "Remediation milestones (primarily for POA&M type amendments)."
             },
@@ -2410,6 +2785,46 @@
                 }
               ]
             },
+            {
+              "type": "falsePositive",
+              "requirementId": "SV-258010",
+              "baselineRef": "RHEL9-STIG",
+              "status": "passed",
+              "reason": "STIG check misidentified sshd_config syntax; manual review confirms compliant configuration",
+              "appliedBy": {
+                "type": "email",
+                "identifier": "assessor@agency.gov"
+              },
+              "appliedAt": "2026-04-14T10:00:00Z",
+              "expiresAt": "2026-10-14T00:00:00Z"
+            },
+            {
+              "type": "falsePositive",
+              "requirementId": "CVE-2026-12345",
+              "status": "notApplicable",
+              "reason": "CVE scanner matched library signature but the vulnerable code path is not present in our build — dependency is compiled with the affected module disabled",
+              "appliedBy": {
+                "type": "email",
+                "identifier": "dev@org.gov"
+              },
+              "appliedAt": "2026-04-14T10:00:00Z",
+              "expiresAt": "2026-10-14T00:00:00Z"
+            },
+            {
+              "type": "riskAdjustment",
+              "requirementId": "SV-258020",
+              "baselineRef": "RHEL9-STIG",
+              "impact": {
+                "value": 0.3
+              },
+              "reason": "CVE-123 is in a dead code path, unreachable from any entry point",
+              "appliedBy": {
+                "type": "email",
+                "identifier": "dev@org.gov"
+              },
+              "appliedAt": "2026-04-14T10:00:00Z",
+              "expiresAt": "2026-10-14T00:00:00Z"
+            },
             {
               "type": "poam",
               "requirementId": "SV-258001",
@@ -2450,14 +2865,14 @@
               "expiresAt": "2026-09-26T00:00:00Z"
             }
           ],
-          "description": "A standalone amendment that modifies a requirement's compliance status. Extends the inline Status_Override concept with requirementId and baselineRef for use outside of results documents.",
+          "description": "A standalone amendment that modifies a requirement's compliance status and/or impact score. At least one of status or impact must be set. Extends the inline Override concept with requirementId and baselineRef for use outside of results documents.",
           "title": "Standalone Override"
         }
       }
     },
-    "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.0.0": {
+    "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0": {
       "$schema": "https://json-schema.org/draft/2020-12/schema",
-      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.0.0",
+      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0",
       "title": "HDF Result Primitives",
       "description": "Types for representing assessment results and statuses.",
       "$defs": {
@@ -2588,9 +3003,9 @@
         }
       }
     },
-    "https://mitre.github.io/hdf-libs/schemas/primitives/runner/v3.0.0": {
+    "https://mitre.github.io/hdf-libs/schemas/primitives/runner/v3.1.0": {
       "$schema": "https://json-schema.org/draft/2020-12/schema",
-      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/runner/v3.0.0",
+      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/runner/v3.1.0",
       "title": "HDF Runner Primitive",
       "description": "Information about the test execution environment where the security tool/scanner was executed.",
       "$defs": {
@@ -2626,7 +3041,7 @@
               "description": "The container instance identifier. Example: 'a1b2c3d4e5f6', 'security-scan-job-xyz123'. Can be a Docker container ID, Kubernetes pod name, or other container runtime identifier."
             },
             "operator": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Identity",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity",
               "description": "The identity of the person or system responsible for executing the test. This could be a human auditor manually completing a checklist, an automated CI/CD system, or a security tool. Optional field to support both automated and manual HDF generation."
             }
           },
@@ -2673,9 +3088,9 @@
         }
       }
     },
-    "https://mitre.github.io/hdf-libs/schemas/primitives/parameter/v3.0.0": {
+    "https://mitre.github.io/hdf-libs/schemas/primitives/parameter/v3.1.0": {
       "$schema": "https://json-schema.org/draft/2020-12/schema",
-      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/parameter/v3.0.0",
+      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/parameter/v3.1.0",
       "title": "HDF Parameter Primitives",
       "description": "Input/parameter type definitions for typed, traceable configuration values that bridge governance prose and scanner automation.",
       "$defs": {