@mitre/hdf-schema 3.0.1 → 3.1.0

package/dist/schemas/hdf-system.schema.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://mitre.github.io/hdf-libs/schemas/hdf-system/v3.0.0",
+  "$id": "https://mitre.github.io/hdf-libs/schemas/hdf-system/v3.1.0",
   "title": "HDF System",
   "description": "Describes a system's authorization boundary, components, and interconnections. Maps to OSCAL SSP system-characteristics and FedRAMP system inventory.",
   "type": "object",
@@ -16,7 +16,7 @@
       "description": "Stable UUID (RFC 4122) for this system. Enables cross-document correlation independent of file location. Optional in casual use, expected in production documents."
     },
     "owner": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Identity",
+      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity",
       "description": "Team or individual responsible for this system's authorization and compliance. Maps to OSCAL responsible-party with role 'system-owner'."
     },
     "name": {
@@ -37,7 +37,7 @@
       "description": "Description of the system's purpose and mission."
     },
     "authorizationStatus": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.0.0#/$defs/Authorization_Status",
+      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.1.0#/$defs/Authorization_Status",
       "description": "Current Authorization to Operate (ATO) status."
     },
     "authorizationDate": {
@@ -46,7 +46,7 @@
       "description": "Date the current authorization status was granted. ISO 8601 format."
     },
     "categorizationLevel": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.0.0#/$defs/Categorization_Level",
+      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.1.0#/$defs/Categorization_Level",
       "description": "FIPS 199 security categorization (impact level)."
     },
     "boundaryDescription": {
@@ -57,21 +57,21 @@
       "type": "array",
       "minItems": 1,
       "items": {
-        "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.0.0#/$defs/Component"
+        "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.1.0#/$defs/Component"
       },
       "description": "System components within the authorization boundary. Uses the full polymorphic Component type with stable identity (componentId), external references, and SBOM support."
     },
     "controlDesignations": {
       "type": "array",
       "items": {
-        "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.0.0#/$defs/Control_Designation"
+        "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.1.0#/$defs/Control_Designation"
       },
       "description": "Declares which controls are common, hybrid, or system-specific, and which component provides them. Maps to NIST SP 800-53 control designations and OSCAL leveraged-authorizations."
     },
     "dataFlows": {
       "type": "array",
       "items": {
-        "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/data-flow/v3.0.0#/$defs/Data_Flow"
+        "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/data-flow/v3.1.0#/$defs/Data_Flow"
       },
       "description": "Inter-component data flows describing how components communicate. Supports local, cross-system, and external flows. Replaces the interconnections[] field."
     },
@@ -83,7 +83,7 @@
       "description": "Optional key-value labels for grouping and querying systems."
     },
     "integrity": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Integrity",
+      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/Integrity",
       "description": "Cryptographic integrity information for verifying this system document has not been tampered with."
     },
     "version": {
@@ -91,7 +91,7 @@
       "description": "Version of this system document."
     },
     "generator": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Generator",
+      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/Generator",
       "description": "Information about the tool that generated this system document."
     }
   },
@@ -139,9 +139,9 @@
     }
   ],
   "$defs": {
-    "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0": {
+    "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0": {
       "$schema": "https://json-schema.org/draft/2020-12/schema",
-      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0",
+      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0",
       "title": "HDF Common Primitives",
       "description": "Shared building blocks used by hdf-results and hdf-baseline schemas.",
       "$defs": {
@@ -957,9 +957,9 @@
         }
       }
     },
-    "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.0.0": {
+    "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.1.0": {
       "$schema": "https://json-schema.org/draft/2020-12/schema",
-      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.0.0",
+      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.1.0",
       "title": "HDF System Primitives",
       "description": "Types for describing system architecture, authorization boundaries, and components.",
       "$defs": {
@@ -1010,7 +1010,7 @@
               "description": "Rationale for why this override is needed."
             },
             "approvedBy": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Identity",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity",
               "description": "Identity of the person or system that approved this override."
             }
           },
@@ -1091,9 +1091,9 @@
         }
       }
     },
-    "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.0.0": {
+    "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.1.0": {
       "$schema": "https://json-schema.org/draft/2020-12/schema",
-      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.0.0",
+      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.1.0",
       "title": "HDF Component Primitives",
       "description": "First-class system component with identity, polymorphic type, SBOM embedding, and system-binding properties. Components are the successor to Targets, adding stable identity (componentId), external system cross-references, and software inventory.",
       "$defs": {
@@ -1123,7 +1123,7 @@
               "description": "Description of this component's role or purpose."
             },
             "owner": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Identity",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity",
               "description": "Team or individual responsible for this component. Enables per-component ownership when different teams manage different parts of a system."
             },
             "externalIds": {
@@ -1167,12 +1167,12 @@
             "inputOverrides": {
               "type": "array",
               "items": {
-                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.0.0#/$defs/Input_Override"
+                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.1.0#/$defs/Input_Override"
               },
               "description": "System-specific overrides for baseline input values."
             },
             "targetSelector": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.0.0#/$defs/Target_Selector",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.1.0#/$defs/Target_Selector",
               "description": "Label selector to match targets belonging to this component during migration. Targets with matching labels are automatically included."
             }
           },
@@ -1492,7 +1492,7 @@
                   "const": "cloudAccount"
                 },
                 "provider": {
-                  "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Cloud_Provider",
+                  "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Cloud_Provider",
                   "description": "Cloud provider."
                 },
                 "accountId": {
@@ -1531,7 +1531,7 @@
                   "const": "cloudResource"
                 },
                 "provider": {
-                  "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Cloud_Provider",
+                  "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Cloud_Provider",
                   "description": "Cloud provider."
                 },
                 "resourceType": {
@@ -1711,9 +1711,9 @@
         }
       }
     },
-    "https://mitre.github.io/hdf-libs/schemas/primitives/data-flow/v3.0.0": {
+    "https://mitre.github.io/hdf-libs/schemas/primitives/data-flow/v3.1.0": {
       "$schema": "https://json-schema.org/draft/2020-12/schema",
-      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/data-flow/v3.0.0",
+      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/data-flow/v3.1.0",
       "title": "HDF Data Flow Primitives",
       "description": "Types for describing data flows between components within a system and across system boundaries. Data flows model network connections, API calls, database queries, and other inter-component communication.",
       "$defs": {
@@ -1869,9 +1869,9 @@
         }
       }
     },
-    "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0": {
+    "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0": {
       "$schema": "https://json-schema.org/draft/2020-12/schema",
-      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0",
+      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0",
       "title": "HDF Extension Primitives",
       "description": "Extension types for waivers, attestations, generators, and integrity.",
       "$defs": {
@@ -1880,52 +1880,67 @@
           "unevaluatedProperties": false,
           "required": [
             "type",
-            "status",
             "reason",
             "appliedBy",
             "appliedAt",
             "expiresAt"
           ],
+          "anyOf": [
+            {
+              "required": [
+                "status"
+              ]
+            },
+            {
+              "required": [
+                "impact"
+              ]
+            }
+          ],
           "properties": {
             "type": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.0.0#/$defs/Override_Type",
-              "description": "The type of status override applied to this requirement."
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.1.0#/$defs/Override_Type",
+              "description": "The type of override applied to this requirement."
             },
             "status": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.0.0#/$defs/Result_Status",
-              "description": "The new status this override sets for the requirement. This intentionally changes the compliance status."
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0#/$defs/Result_Status",
+              "description": "The new status this override sets for the requirement. Optional when only impact is being overridden."
+            },
+            "impact": {
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.1.0#/$defs/Impact_Override",
+              "description": "Override to the requirement's impact score. At least one of status or impact must be set."
             },
             "reason": {
               "type": "string",
-              "description": "Explanation for why this status override was applied."
+              "description": "Explanation for why this override was applied."
             },
             "appliedBy": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Identity",
-              "description": "Identity of who applied this status override. For simple cases, use type 'simple' with just an identifier."
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity",
+              "description": "Identity of who applied this override. For simple cases, use type 'simple' with just an identifier."
             },
             "appliedAt": {
               "type": "string",
               "format": "date-time",
-              "description": "Timestamp when this status override was applied. ISO 8601 format."
+              "description": "Timestamp when this override was applied. ISO 8601 format."
             },
             "expiresAt": {
               "type": "string",
               "format": "date-time",
-              "description": "Timestamp when this status override expires and must be reviewed/renewed. REQUIRED - no permanent status overrides allowed. ISO 8601 format."
+              "description": "Timestamp when this override expires and must be reviewed/renewed. REQUIRED - no permanent overrides allowed. ISO 8601 format."
             },
             "signature": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Signature",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Signature",
               "description": "Optional digital signature for enhanced trust and non-repudiation. Supports hardware security tokens (PKCS#11/PKCS#12), Yubikeys, GPG keys, passkeys, and other signing methods."
             },
             "evidence": {
               "type": "array",
               "items": {
-                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Evidence"
+                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Evidence"
               },
-              "description": "Supporting evidence for this status override, such as screenshots demonstrating manual verification for attestations."
+              "description": "Supporting evidence for this override, such as screenshots demonstrating manual verification for attestations."
             },
             "previousChecksum": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Checksum",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Checksum",
               "description": "SHA-256 checksum of the previous amendment in chronological order. Creates a tamper-evident chain of amendments (similar to blockchain). Null for the first amendment on a requirement."
             }
           },
@@ -1941,6 +1956,41 @@
               "appliedAt": "2025-12-01T10:00:00Z",
               "expiresAt": "2026-12-01T00:00:00Z"
             },
+            {
+              "type": "riskAdjustment",
+              "impact": {
+                "value": 0.3
+              },
+              "reason": "CVE-123 is in a dead code path, unreachable from any entry point",
+              "appliedBy": {
+                "identifier": "dev@org.gov",
+                "type": "email"
+              },
+              "appliedAt": "2026-04-14T10:00:00Z",
+              "expiresAt": "2026-10-14T00:00:00Z"
+            },
+            {
+              "type": "falsePositive",
+              "status": "passed",
+              "reason": "STIG check misidentified sshd_config syntax; manual review confirms compliant configuration",
+              "appliedBy": {
+                "identifier": "assessor@agency.gov",
+                "type": "email"
+              },
+              "appliedAt": "2026-04-14T10:00:00Z",
+              "expiresAt": "2026-10-14T00:00:00Z"
+            },
+            {
+              "type": "falsePositive",
+              "status": "notApplicable",
+              "reason": "CVE scanner matched library signature but the vulnerable code path is not present — dependency compiled with affected module disabled",
+              "appliedBy": {
+                "identifier": "dev@org.gov",
+                "type": "email"
+              },
+              "appliedAt": "2026-04-14T10:00:00Z",
+              "expiresAt": "2026-10-14T00:00:00Z"
+            },
             {
               "type": "attestation",
               "status": "passed",
@@ -1968,7 +2018,7 @@
               ]
             }
           ],
-          "description": "An intentional change to a requirement's compliance status (waiver or attestation). Status overrides change the effectiveStatus of the requirement. All status overrides must have an expiration date to enforce periodic review.",
+          "description": "An intentional change to a requirement's compliance status and/or impact score. At least one of status or impact must be set. Overrides change the effectiveStatus or impact of the requirement. All overrides must have an expiration date to enforce periodic review.",
           "title": "Status Override"
         },
         "POAM": {
@@ -1986,16 +2036,17 @@
               "enum": [
                 "remediation",
                 "mitigation",
-                "riskAcceptance"
+                "riskAcceptance",
+                "vendorDependency"
               ],
-              "description": "The type of POA&M. 'remediation' fixes root cause. 'mitigation' reduces risk via compensating controls. 'riskAcceptance' documents decision to accept risk."
+              "description": "The type of POA&M. 'remediation' fixes root cause. 'mitigation' reduces risk via compensating controls. 'riskAcceptance' documents decision to accept risk. 'vendorDependency' tracks a fix that depends on a vendor releasing a patch or update."
             },
             "explanation": {
               "type": "string",
               "description": "Detailed explanation of the plan, including what actions will be taken."
             },
             "appliedBy": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Identity",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity",
               "description": "Identity of who created this POA&M. For simple cases, use type 'simple' with just an identifier."
             },
             "appliedAt": {
@@ -2011,23 +2062,23 @@
             "milestones": {
               "type": "array",
               "items": {
-                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Milestone"
+                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Milestone"
               },
               "description": "Optional array of milestones tracking progress toward completion."
             },
             "signature": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Signature",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Signature",
               "description": "Optional digital signature for enhanced trust and non-repudiation."
             },
             "evidence": {
               "type": "array",
               "items": {
-                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Evidence"
+                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Evidence"
               },
               "description": "Supporting evidence for this POA&M, such as documentation of compensating controls or mitigation implementation."
             },
             "previousChecksum": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Checksum",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Checksum",
               "description": "SHA-256 checksum of the previous amendment in chronological order. Creates a tamper-evident chain of amendments (similar to blockchain). Null for the first amendment on a requirement."
             }
           },
@@ -2178,7 +2229,7 @@
           },
           "properties": {
             "algorithm": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Hash_Algorithm",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Hash_Algorithm",
               "description": "The hash algorithm used for the checksum."
             },
             "checksum": {
@@ -2211,36 +2262,66 @@
         }
       }
     },
-    "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.0.0": {
+    "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.1.0": {
       "$schema": "https://json-schema.org/draft/2020-12/schema",
-      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.0.0",
+      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.1.0",
       "title": "HDF Amendment Primitives",
-      "description": "Types for waivers, attestations, exceptions, and POA&Ms that modify requirement compliance status.",
+      "description": "Types for waivers, attestations, and POA&Ms that modify requirement compliance status.",
       "$defs": {
         "Override_Type": {
           "type": "string",
           "enum": [
             "waiver",
             "attestation",
-            "exception",
             "poam",
-            "inherited"
+            "inherited",
+            "falsePositive",
+            "riskAdjustment",
+            "operationalRequirement"
           ],
-          "description": "The type of amendment. 'waiver': risk accepted (AO). 'attestation': manually verified (assessor). 'exception': not applicable (system owner + AO). 'poam': remediation tracked (no status change). 'inherited': control provided by another component or system (overrides to notApplicable/passed).",
+          "description": "The type of amendment, aligned with FedRAMP deviation request categories. 'waiver': risk accepted by Authorizing Official. 'attestation': manually verified by assessor. 'poam': remediation tracked (no status change). 'inherited': control provided by another component or system. 'falsePositive': scanner incorrectly identified a finding — for compliance scans (STIG, CIS), the check actually passes, so status is typically set to 'passed'; for vulnerability scans (CVE, SCA), the flagged vulnerability does not apply to this system, so status is typically set to 'notApplicable'. The disposition field on the requirement distinguishes false positives from genuinely not-applicable findings. 'riskAdjustment': impact score adjusted based on environmental context (FedRAMP Risk Adjustment); does not change pass/fail status, only impact via the impact field. 'operationalRequirement': deviation required by operational constraints (FedRAMP Operational Requirement); the finding cannot be remediated because the system requires the affected functionality. Remains an open risk. Migration note: 'exception' was removed in v3.1.0 — use 'waiver' with status 'notApplicable' instead.",
           "title": "Override Type"
         },
+        "Impact_Override": {
+          "type": "object",
+          "required": [
+            "value"
+          ],
+          "unevaluatedProperties": false,
+          "properties": {
+            "value": {
+              "type": "number",
+              "minimum": 0,
+              "maximum": 1,
+              "description": "The overridden impact score (0.0–1.0)."
+            }
+          },
+          "description": "An override to the requirement's impact score. The prior impact is the original result value or the preceding override in the chain.",
+          "title": "Impact Override"
+        },
         "Standalone_Override": {
           "type": "object",
           "unevaluatedProperties": false,
           "required": [
             "type",
             "requirementId",
-            "status",
             "reason",
             "appliedBy",
             "appliedAt",
             "expiresAt"
           ],
+          "anyOf": [
+            {
+              "required": [
+                "status"
+              ]
+            },
+            {
+              "required": [
+                "impact"
+              ]
+            }
+          ],
           "properties": {
             "type": {
               "$ref": "#/$defs/Override_Type",
@@ -2255,15 +2336,19 @@
               "description": "Name of the baseline containing the requirement. Required when the system has multiple baselines with potentially overlapping requirement IDs."
             },
             "status": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.0.0#/$defs/Result_Status",
-              "description": "The new status this amendment sets. For POA&Ms, this is the current status (POA&Ms track work, they don't change status)."
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0#/$defs/Result_Status",
+              "description": "The new status this amendment sets. Optional when only impact is being overridden."
+            },
+            "impact": {
+              "$ref": "#/$defs/Impact_Override",
+              "description": "Override to the requirement's impact score. At least one of status or impact must be set."
             },
             "reason": {
               "type": "string",
               "description": "Justification for this amendment."
             },
             "appliedBy": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Identity",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity",
               "description": "Identity of who applied this amendment."
             },
             "appliedAt": {
@@ -2279,22 +2364,22 @@
             "evidence": {
               "type": "array",
               "items": {
-                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Evidence"
+                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Evidence"
               },
               "description": "Supporting evidence (screenshots, logs, URLs, documents)."
             },
             "signature": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Signature",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Signature",
               "description": "Digital signature for non-repudiation."
             },
             "previousChecksum": {
-              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Checksum",
+              "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Checksum",
               "description": "Checksum of the prior amendment in the chain. Creates a tamper-evident linked list. Null for the first amendment."
             },
             "milestones": {
               "type": "array",
               "items": {
-                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Milestone"
+                "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Milestone"
               },
               "description": "Remediation milestones (primarily for POA&M type amendments)."
             },
@@ -2330,6 +2415,46 @@
                 }
               ]
             },
+            {
+              "type": "falsePositive",
+              "requirementId": "SV-258010",
+              "baselineRef": "RHEL9-STIG",
+              "status": "passed",
+              "reason": "STIG check misidentified sshd_config syntax; manual review confirms compliant configuration",
+              "appliedBy": {
+                "type": "email",
+                "identifier": "assessor@agency.gov"
+              },
+              "appliedAt": "2026-04-14T10:00:00Z",
+              "expiresAt": "2026-10-14T00:00:00Z"
+            },
+            {
+              "type": "falsePositive",
+              "requirementId": "CVE-2026-12345",
+              "status": "notApplicable",
+              "reason": "CVE scanner matched library signature but the vulnerable code path is not present in our build — dependency is compiled with the affected module disabled",
+              "appliedBy": {
+                "type": "email",
+                "identifier": "dev@org.gov"
+              },
+              "appliedAt": "2026-04-14T10:00:00Z",
+              "expiresAt": "2026-10-14T00:00:00Z"
+            },
+            {
+              "type": "riskAdjustment",
+              "requirementId": "SV-258020",
+              "baselineRef": "RHEL9-STIG",
+              "impact": {
+                "value": 0.3
+              },
+              "reason": "CVE-123 is in a dead code path, unreachable from any entry point",
+              "appliedBy": {
+                "type": "email",
+                "identifier": "dev@org.gov"
+              },
+              "appliedAt": "2026-04-14T10:00:00Z",
+              "expiresAt": "2026-10-14T00:00:00Z"
+            },
             {
               "type": "poam",
               "requirementId": "SV-258001",
@@ -2370,14 +2495,14 @@
               "expiresAt": "2026-09-26T00:00:00Z"
             }
           ],
-          "description": "A standalone amendment that modifies a requirement's compliance status. Extends the inline Status_Override concept with requirementId and baselineRef for use outside of results documents.",
+          "description": "A standalone amendment that modifies a requirement's compliance status and/or impact score. At least one of status or impact must be set. Extends the inline Override concept with requirementId and baselineRef for use outside of results documents.",
           "title": "Standalone Override"
         }
       }
     },
-    "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.0.0": {
+    "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0": {
       "$schema": "https://json-schema.org/draft/2020-12/schema",
-      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.0.0",
+      "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0",
       "title": "HDF Result Primitives",
       "description": "Types for representing assessment results and statuses.",
       "$defs": {